{"id":2653,"date":"2025-09-04T02:51:41","date_gmt":"2025-09-04T02:51:41","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/04\/cloudflare-and-palo-alto-networks-victimized-in-salesloft-drift-breach\/"},"modified":"2025-09-04T02:51:41","modified_gmt":"2025-09-04T02:51:41","slug":"cloudflare-and-palo-alto-networks-victimized-in-salesloft-drift-breach","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/09\/04\/cloudflare-and-palo-alto-networks-victimized-in-salesloft-drift-breach\/","title":{"rendered":"Cloudflare and Palo Alto Networks Victimized in Salesloft Drift Breach"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-2c218f3f-34ad-4622-8224-1c7247cbf7ce\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Cloudflare and Palo Alto Networks are the latest big names to have had their Salesforce instances accessed by threat actors via the Salesloft Drift app, the firms have\u00a0revealed.<\/p>\n<p>In a post yesterday, Cloudflare said it became aware of suspicious activity in its Salesforce tenant last week.<\/p>\n<p>\u201cOur investigation showed the threat actor compromised and exfiltrated data from our Salesforce tenant between August 12-17, 2025, following initial reconnaissance observed on August 9, 2025,\u201d it continued.<\/p>\n<p>\u201cA detailed analysis confirmed the exposure was limited to Salesforce case objects, which primarily consist of customer support tickets and their associated data within our Salesforce tenant.\u201d<\/p>\n<p><em>Read more on the Salesloft campaign: Zscaler Customer Info Taken in Salesloft Breach<\/em><\/p>\n<p>Salesforce case objects include customer contact information related to support cases, case subject lines\u00a0and the body of the case correspondence, but not attachments, Cloudflare was keen to point out.<\/p>\n<p>\u201cCloudflare does not request or require customers to share secrets, credentials, or API keys in support cases,\u201d the firm said.<\/p>\n<p>\u201cHowever, in some troubleshooting scenarios, customers may paste keys, logs, or other sensitive information into the case text fields. Anything shared through this channel should now be considered compromised.\u201d<\/p>\n<p>Cloudflare urged customers to rotate any credentials shared with it through this channel. It also found 104 Cloudflare API tokens in the compromised dataset, which it has rotated out of an abundance of caution.<\/p>\n<p>Separately, Palo Alto Networks revealed yesterday that it too had its Salesforce data accessed by the same threat actor.<\/p>\n<p>\u201cThe data involved includes mostly business contact information, internal sales account and basic case data related to our customers,\u201d it said. \u201cWe take this incident seriously and are reaching out to a limited number of customers that have potentially more sensitive data exposed.\u201d<\/p>\n<h2>More Targeted Attacks to Come?<\/h2>\n<p>Cloudflare confirmed that hundreds of victims have been caught up in this campaign. A threat actor identified as UNC6395 originally compromised OAuth tokens associated with the\u00a0third-party Salesloft Drift application, which integrates with Salesforce.<\/p>\n<p>In activity between August 8 and August 18, they systematically exfiltrated large volumes of data\u00a0in order to search for credentials, according to Google\u2019s Threat Intelligence Group (GTIG).<\/p>\n<p>Cloudflare seemed to agree with this analysis.<\/p>\n<p>\u201cGiven that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations,\u201d it warned.<\/p>\n<p>The tech firm\u2019s revelations came just a few days after Zscaler admitted it was also impacted by the data theft campaign.<\/p>\n<p>Some experts have suggested a nation state actor is to blame. GTIG has thus far found no connection between this and the ShinyHunters vishing campaign targeting Salesforce customers.<\/p>\n<\/p><\/div>\n<p>Image\u00a0credit: Saulo Ferreira Angelo \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cloudflare and Palo Alto Networks are the latest big names to have had their Salesforce instances accessed by threat actors via the Salesloft Drift app, the firms have\u00a0revealed. In a post yesterday, Cloudflare said it became aware of suspicious activity in its Salesforce tenant last week. \u201cOur investigation showed the threat actor compromised and exfiltrated<\/p>\n","protected":false},"author":2,"featured_media":2654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2653","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2653-4777a917-1c9e-4bbf-a9ef-acbbc8b0d3c6-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2653"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2653\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2654"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}