Overview

In August 2025, a widespread cyberattack targeted Salesloft’s Drift platform, affecting numerous organizations, including Cloudflare, Palo Alto Networks, Zscaler, and others. The breach exploited vulnerabilities in the Drift integration with Salesforce, allowing unauthorized access to sensitive customer data. While Cloudflare’s core infrastructure remained secure, the compromised data included API tokens, which have since been rotated as a precautionary measure. The attackers, identified by Google as the threat group UNC6395, used stolen OAuth tokens to access Salesforce instances, potentially exposing customer contact information and other sensitive data.

Salesloft has acknowledged the severity of the incident and is collaborating with Mandiant, Google Cloud’s incident response division, and cyber insurer Coalition to investigate the breach. The company has taken the Drift platform offline to conduct a comprehensive review and enhance security measures. This incident underscores the critical need for vigilance in securing third-party integrations and SaaS applications.

 

Affected systems include:

  • Salesforce CRM:  Support cases accessed via compromised third-party integrations.
  • Salesloft and Drift platforms: Third-party vendors whose vulnerabilities were exploited.
  • API tokens and credentials: Sensitive tokens linked to Cloudflare and other affected customers, which have been rotated.

 

Recommended Remediations

ctrl:cyber strongly recommends the following actions to mitigate risk:

  • Disconnect Salesloft Integrations: Immediately disconnect any active Salesloft integrations from systems like Salesforce and uninstall related applications or browser extensions if applicable.
  • Rotate Credentials: Reset credentials used in third-party applications or shared in vendor support cases. It is advisable to rotate all third-party API keys and secrets as a precaution.
  • Review Vendor Communications: Examine your communications and support cases with vendors to identify any potentially exposed sensitive information such as credentials, API keys, or configuration details.
  • Audit Third-Party Access: Review all third-party integrations to remove any unused connections. Ensure that active third-party applications operate under the principle of least privilege by avoiding admin-level access and applying IP restrictions where feasible.

Sources: The impact of the Salesloft Drift breach on Cloudflare and our customers, Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler | CyberScoop