Cloudflare, Palo Alto Networks affected by Salesloft Drift attack campaign

Cloudflare and Palo Alto Networks both announced Tuesday that they were affected by the Salesloft Drift supply chain attack campaign, which has targeted Salesforce instances of hundreds of organizations across the globe.

The threat group, tracked as UNC6395 by Google and GRUB1 by Cloudlfare, used stolen OAuth tokens for the Salesloft Drift AI chat agent to infiltrate Salesforce instances via the Drift-Salesforce integration. The attack affected more than 700 Salesforce customer organizations between Aug. 8 and Aug. 18, 2025.

In a blog post on Tuesday, Cloudflare announced it was one of the victims of the supply chain attack and that some customer data was affected. Also in the post, the internet infrastructure firm also broke down the timeline of events, the data that was compromised and Cloudflare’s response to the incident.

Cloudflare said the attackers obtained customer contact information and information from the text fields of support cases, but no files attached to these cases. However, some of these support cases included sensitive data such as passwords and API keys when they were submitted by customers into the text fields.

Customers were directly notified by Cloudflare Tuesday and are recommended to review their Cloudflare and Salesforce support cases for potentially sensitive information, rotate potentially compromised credentials and credentials for any Salesforce integrations, disconnect Salesloft connections from Salesforce environments and continue to monitor and conduct forensics in response to the data breach.

“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail but also openly accepts responsibility for the risks posed by third-party integrations,” noted Cory Michal, CSO at AppOmni, in a comment to SC Media.

In a briefer advisory published Tuesday by Palo Alto Networks, the company disclosed unauthorized access to customers’ Salesforce data via the Salesloft Drift campaign and said business contact information, internal sales account data and basic support case data was stolen.

A “limited number of customers” who may have had more sensitive data accessed will be directly contacted by Palo Alto Networks. Both Cloudflare and Palo Alto said the breaches were limited to their Salesforce instances and that no other company systems were directly breached.

Cloud security company Zscaler also disclosed over the weekend that it was affected by the Salesloft Drift campaign. UNC6395 is also believed to have leveraged Salesloft Drift OAuth tokens to access a limited number of Google Workspace accounts that were integrated with the Drift agent, according to the Google Threat Intelligence Group.