Salesloft disclosed that hackers gained access to its GitHub account as early as March, leading to a massive supply-chain attack that compromised hundreds of organizations in August. The threat group, tracked as UNC6395 by Google, spent months lurking in Salesloft's systems before accessing Drift's AWS environment and stealing OAuth tokens to infiltrate customer data.
The company took Drift offline Friday and rotated security credentials, but many questions remain unanswered. Salesloft hasn't explained how attackers initially accessed GitHub or obtained the OAuth tokens. Security analysts criticize the company's lack of transparency, with some suggesting Drift's reputation may be permanently damaged by the breach.
Source: CyberScoop