Cybersecurity News Kinetic Potential

Security Firms Hit by Salesforce–Salesloft Drift Breach

Wed, 09/03/2025 - 10:02 / 0 Comments

Cybersecurity firms Cloudflare, Palo Alto Networks, and Zscaler on Tuesday confirmed that their Salesforce instances were hacked as part of the Salesforce-Salesloft Drift data theft campaign disclosed last week.

Between August 8 and August 18, hackers used compromised OAuth tokens for the third-party AI chat bot Salesloft Drift to export large volumes of data from the Salesforce instances of hundreds of organizations.

Attributed to a threat actor tracked as UNC6395 by Google and GRUB1 by Cloudflare, the campaign was aimed at extracting credentials and other sensitive information, including AWS access keys, passwords, and Snowflake-related access tokens.

The campaign was disclosed on August 26 and resulted in Salesforce disabling all integrations with Salesloft, which is taking Drift offline to review it and enhance its resilience.

While initial reports suggested that only organizations that used the Drift-Salesforce integration were impacted, Google’s Threat Intelligence Group (GTIG) on August 28 revealed that Google Workspace customers were affected as well.

On Tuesday, Cloudflare, Palo Alto Networks, and Zscaler confirmed that they were among the hundreds of organizations that had their Salesforce instances hacked as part of this campaign.

“Palo Alto Networks confirms that it was one of hundreds of customers impacted by the widespread supply chain attack targeting the Salesloft Drift application that exposed Salesforce data. We quickly contained the incident and disabled the application from our Salesforce environment,” the company told SecurityWeek.

“The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers,” the company said.

In a detailed report on the attack, Cloudflare said the hackers exfiltrated customer contact information and basic support case data, which could expose customer configuration and sensitive information such as logs, tokens, and passwords.

“As part of our response to this incident, we did our own search through the compromised data to look for tokens or passwords and found 104 Cloudflare API tokens. We have identified no suspicious activity associated with those tokens, but all of these have been rotated in an abundance of caution,” Cloudflare said.

Its investigation into the attack revealed that the hackers used Salesloft integration credentials to access its Salesforce instance, ran queries for several days for reconnaissance, and launched a Salesforce Bulk API 2.0 job on August 17, to exfiltrate a database in roughly three minutes.

Zscaler said the customer information stolen from its Salesforce instance includes names, business email addresses, phone numbers, job titles, location details, licensing information, and plain text content from certain support cases.

“We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks. Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations,” Cloudflare said.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
2 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts