Cloudflare and Palo Alto Networks are the latest big names to have had their Salesforce instances accessed by threat actors via the Salesloft Drift app, the firms have revealed.
In a post yesterday, Cloudflare said it became aware of suspicious activity in its Salesforce tenant last week.
“Our investigation showed the threat actor compromised and exfiltrated data from our Salesforce tenant between August 12-17, 2025, following initial reconnaissance observed on August 9, 2025,” it continued.
“A detailed analysis confirmed the exposure was limited to Salesforce case objects, which primarily consist of customer support tickets and their associated data within our Salesforce tenant.”
Read more on the Salesloft campaign: Zscaler Customer Info Taken in Salesloft Breach
Salesforce case objects include customer contact information related to support cases, case subject lines and the body of the case correspondence, but not attachments, Cloudflare was keen to point out.
“Cloudflare does not request or require customers to share secrets, credentials, or API keys in support cases,” the firm said.
“However, in some troubleshooting scenarios, customers may paste keys, logs, or other sensitive information into the case text fields. Anything shared through this channel should now be considered compromised.”
Cloudflare urged customers to rotate any credentials shared with it through this channel. It also found 104 Cloudflare API tokens in the compromised dataset, which it has rotated out of an abundance of caution.
Separately, Palo Alto Networks revealed yesterday that it too had its Salesforce data accessed by the same threat actor.
“The data involved includes mostly business contact information, internal sales account and basic case data related to our customers,” it said. “We take this incident seriously and are reaching out to a limited number of customers that have potentially more sensitive data exposed.”
More Targeted Attacks to Come?
Cloudflare confirmed that hundreds of victims have been caught up in this campaign. A threat actor identified as UNC6395 originally compromised OAuth tokens associated with the third-party Salesloft Drift application, which integrates with Salesforce.
In activity between August 8 and August 18, they systematically exfiltrated large volumes of data in order to search for credentials, according to Google’s Threat Intelligence Group (GTIG).
Cloudflare seemed to agree with this analysis.
“Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations,” it warned.
The tech firm’s revelations came just a few days after Zscaler admitted it was also impacted by the data theft campaign.
Some experts have suggested a nation state actor is to blame. GTIG has thus far found no connection between this and the ShinyHunters vishing campaign targeting Salesforce customers.
Image credit: Saulo Ferreira Angelo / Shutterstock.com
