Salesloft, an AI company, confirmed that its systems were compromised in March through a GitHub account, resulting in a significant data breach impacting numerous major organizations.  

According to initial results from a Mandiant-led probe, published by Salesloft, hackers maintained access to the company’s GitHub account from March through June. 

“With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows,” the company explained in a new notice to customers on Saturday. 

For months, the attacker probed both Salesloft’s application environments and those of Drift, the AI chatbot company acquired by Salesloft in 2023. Drift’s platform, often linked with external systems to track customer interactions, ties into data storage from Salesforce. 

Investigators at Mandiant reported that the hacker accessed Drift’s AWS environment, stealing authentication tokens for customers’ tech integrations—providing a pathway into sensitive customer data. 

Salesloft responded to the breach by isolating Drift’s infrastructure, shutting it down temporarily, rotating the compromised credentials, and implementing other safeguards. 

“Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review,” Salesloft said. 

Salesloft said Sunday that its platform’s integration with Salesforce is back online. Salesforce had suspended the link last week when news of the breach first emerged. 

New victims come forward 

Executives at major firms including Cloudflare, Zscaler, and Palo Alto Networks shared blog posts last week describing the effects of the incident. 

In the last six days, companies including Nutanix, Elastic, Cato Networks, Tenable, Rubrik, and Proofpoint acknowledged they were impacted by the data breaches. 

On Friday, Canadian online investment platform Wealthsimple disclosed that hackers accessed customer data including government IDs, account numbers, Social Insurance numbers, birth dates, and contact details. The company stressed that no funds were stolen and the breach was contained within hours. 

According to victim companies, hackers mainly accessed support ticket data stored in Salesloft Drift. Several organizations cautioned that customer-provided information, including logs, tokens, or passwords, may now be compromised. Others reported that the breach exposed business contact details and Salesforce-linked records, such as names, work email addresses, phone numbers, and location data.