Cloudflare confirmed it was impacted by a sophisticated **supply chain attack** targeting the **Salesloft Drift-Salesforce integration**, part of a broader campaign (UNC6395) that compromised over **700 organizations**. Hackers exploited stolen credentials to exfiltrate data from Cloudflare’s **Salesforce support cases** between **August 12–17, 2024**, following reconnaissance on **August 9**. The breach exposed: - **Customer contact details** (emails, phone numbers, company domains). - **Support case contents**, including **freeform text** (potentially containing **API tokens, logs, or passwords** shared by customers). - **104 Cloudflare API tokens**, though no malicious use was detected (all tokens were rotated). While **no Cloudflare infrastructure was compromised**, the attack risked **credential theft for downstream systems** (e.g., AWS keys, Snowflake tokens). Cloudflare disabled Drift, purged Salesloft integrations, and notified affected customers, urging **credential rotation** and forensic reviews. The incident underscores risks from **third-party SaaS integrations** in enterprise environments.
Source: https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto-networks
TPRM report: https://www.rankiteo.com/company/cloudflare
"id": "clo453090325",
"linkid": "cloudflare",
"type": "Breach",
"date": "8/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Limited subset (those with data '
'in Salesforce cases)',
'industry': 'Cybersecurity/Cloud Services',
'location': 'San Francisco, CA, USA',
'name': 'Cloudflare',
'size': '~3,000 employees (2024)',
'type': 'Internet Infrastructure Company'},
{'customers_affected': 'Customers with support cases or '
'licensing data exposed',
'industry': 'Cloud Security',
'location': 'San Jose, CA, USA',
'name': 'Zscaler',
'size': '~5,000 employees (2024)',
'type': 'Cybersecurity Firm'},
{'customers_affected': 'Limited number with sensitive '
'data in Salesforce',
'industry': 'Network Security',
'location': 'Santa Clara, CA, USA',
'name': 'Palo Alto Networks',
'size': '~12,000 employees (2024)',
'type': 'Cybersecurity Firm'},
{'customers_affected': 'Hundreds of organizations using '
'Drift-Salesforce integration',
'industry': 'SaaS/CRM',
'location': 'Atlanta, GA, USA',
'name': 'Salesloft',
'size': '~1,000 employees (2024)',
'type': 'Sales Engagement Platform'},
{'customers_affected': 'Workspace administrators with '
'Drift-integrated accounts',
'industry': 'Cloud/Enterprise Software',
'location': 'Mountain View, CA, USA',
'name': 'Google (Workspace)',
'size': '~190,000 employees (2024)',
'type': 'Tech Giant'},
{'industry': 'Multiple (tech, finance, healthcare, '
'etc.)',
'location': 'Global',
'name': 'Over 700 Unnamed Companies',
'type': 'Varied (B2B organizations)'}],
'attack_vector': ['Compromised Third-Party Integration (Salesloft Drift)',
'Stolen Authentication Tokens',
'API Abuse'],
'customer_advisories': ['Cloudflare: Notified affected customers via '
'email/dashboard banners; urged credential rotation.',
'Palo Alto Networks: Contacting customers with '
'potentially exposed sensitive data.',
'Zscaler: Published guidance for customers to review '
'exposed support cases.',
'Salesloft: Advises all customers to disconnect '
'Drift-Salesforce integration.'],
'data_breach': {'data_exfiltration': ['Confirmed between August 12–17, 2024',
'Systematic export of large data '
'volumes'],
'file_types_exposed': ['Salesforce case records (text)',
'CSV/JSON exports (likely)',
'Email content (Google Workspace)'],
'number_of_records_exposed': ['Exact count unknown; hundreds '
'of organizations affected',
'Cloudflare identified 104 API '
'tokens'],
'personally_identifiable_information': ['Business emails, '
'phone numbers, '
'company names (no '
'SSNs/financial data '
'confirmed)'],
'sensitivity_of_data': ['Moderate to High '
'(credentials/secrets in support '
'cases)',
'Low for most business contact '
'details'],
'type_of_data_compromised': ['Business contact information',
'Salesforce case '
'metadata/content',
'Authentication tokens (AWS, '
'Snowflake, API keys)',
'Support logs (may include '
'sensitive customer-provided '
'data)']},
'date_detected': '2024-08-13 (initial warnings by Mandiant)',
'date_publicly_disclosed': '2024-08-27 (confirmations by Cloudflare, Zscaler, '
'Palo Alto Networks)',
'description': 'A sophisticated supply chain attack targeted hundreds of '
'organizations globally by exploiting the Salesloft Drift '
'integration with Salesforce. Threat actors (tracked as '
'UNC6395 by Mandiant) exfiltrated sensitive customer data, '
'including AWS access keys, Snowflake tokens, and business '
'contact details, between August 8–18, 2024. Affected '
'companies include Cloudflare, Zscaler, Palo Alto Networks, '
'and potentially over 700 others. The attack leveraged stolen '
'credentials and compromised authentication tokens within the '
'Drift AI chatbot platform, which Salesloft acquired in 2023. '
'Salesloft has since taken Drift offline and paused Salesforce '
'integrations as a precautionary measure.',
'impact': {'brand_reputation_impact': ['High (affects trust in Salesforce '
'ecosystem and third-party '
'integrations)',
'Public disclosures by major tech '
'firms may amplify scrutiny'],
'customer_complaints': ['Potential increase due to exposed '
'sensitive data in support cases'],
'data_compromised': ['Customer business contact details (names, '
'emails, phone numbers, locations)',
'Salesforce case data (subject lines, body '
'text with potential keys/secrets)',
'AWS access keys',
'Snowflake access tokens',
'Zscaler product licensing/commercial '
'information',
'Support case logs (may include '
'tokens/passwords)'],
'downtime': ['Salesloft Drift platform taken offline',
'Salesforce-Salesloft integrations paused'],
'identity_theft_risk': ['Moderate (business contact details '
'exposed)',
'Low for direct financial fraud (no '
'payment data confirmed)'],
'legal_liabilities': ['Potential GDPR/CCPA violations for exposed '
'PII',
'Contractual breaches with customers'],
'operational_impact': ['Forensic investigations across hundreds of '
'organizations',
'Credential rotation campaigns',
'Disruption of customer support workflows '
'(Salesforce case management)',
'Temporary loss of Drift chatbot '
'functionality'],
'payment_information_risk': 'None reported',
'systems_affected': ['Salesforce instances (via Salesloft Drift '
'integration)',
'Google Workspace accounts (limited to '
'Drift-integrated emails)',
'Cloudflare API tokens (104 identified, '
'rotated)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Not confirmed, but '
'stolen '
'credentials/tokens may '
'be monetized'],
'entry_point': 'Compromised Salesloft Drift '
'authentication tokens (likely via '
'phishing or credential stuffing)',
'high_value_targets': ['AWS access keys',
'Snowflake tokens',
'Salesforce case data with '
'secrets'],
'reconnaissance_period': ['August 9, 2024 (Google '
'observed email access)',
'Likely earlier for '
'initial Drift '
'compromise']},
'investigation_status': 'Ongoing (as of August 28, 2024)',
'lessons_learned': ['Third-party SaaS integrations introduce significant '
'supply chain risk, especially when connected to core '
'systems like Salesforce.',
'Authentication tokens in chatbot/automation platforms '
'(e.g., Drift) require stricter access controls and '
'rotation policies.',
'Over-permissive API integrations can enable large-scale '
'data exfiltration with minimal detection.',
'Proactive disconnection of integrations (as done by '
'Salesloft) can limit blast radius, but transparency is '
'critical to maintain trust.',
'Credential hygiene (e.g., rotating tokens in support '
'systems) is often overlooked but critical for limiting '
'post-breach impact.'],
'motivation': ['Credential Harvesting for Further Attacks',
'Data Exfiltration for Resale/Exploitation',
'Potential Espionage or Financial Gain'],
'post_incident_analysis': {'corrective_actions': ['Salesloft: Offlined Drift, '
'revoked all integration '
'tokens, mandatory customer '
'disconnections.',
'Cloudflare: Purged '
'Salesloft software, '
'rotated all exposed API '
'tokens, enhanced '
'Salesforce logging.',
'Google: Disabled '
'Drift-Workspace '
'integration, revoked '
'compromised tokens.',
'Industry-wide: '
'Reevaluation of '
'third-party '
'chatbot/automation tool '
'security postures.'],
'root_causes': ['Insufficient access controls for '
'Drift-Salesforce integration '
'tokens.',
'Lack of network segmentation '
'between Drift and Salesforce data '
'stores.',
'Over-reliance on static API '
'tokens without rotation policies.',
'Delayed detection of bulk data '
'exfiltration (August 8–18 '
'activity detected later).',
'Acquisition-related security gaps '
'(Drift’s integration '
'post-Salesloft acquisition).']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related)'},
'recommendations': ['Audit all third-party integrations with Salesforce/CRM '
'systems for least-privilege access.',
'Isolate high-risk integrations (e.g., AI chatbots) in '
'segmented network zones with enhanced logging.',
'Implement automated token rotation for all API '
'keys/secrets stored in SaaS platforms.',
'Monitor for unusual data export patterns in Salesforce '
'(e.g., bulk API calls).',
'Require multi-factor authentication (MFA) for all '
'Salesforce integrations, including third-party tools.',
'Conduct tabletop exercises for supply chain attack '
'scenarios involving CRM/ERP systems.',
'Evaluate the necessity of storing sensitive data (e.g., '
'AWS keys) in customer support systems.'],
'references': [{'date_accessed': '2024-08-28',
'source': 'CyberScoop',
'url': 'https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/'},
{'date_accessed': '2024-08-27',
'source': 'Cloudflare Blog (Postmortem)',
'url': 'https://blog.cloudflare.com/salesloft-drift-incident-august-2024'},
{'date_accessed': '2024-08-26',
'source': 'Zscaler Advisory',
'url': 'https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-update'},
{'date_accessed': '2024-08-27',
'source': 'Palo Alto Networks Statement',
'url': 'https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/'},
{'date_accessed': '2024-08-25',
'source': 'Google Threat Intelligence Advisory',
'url': 'https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaign'},
{'date_accessed': '2024-08-20',
'source': 'Mandiant (UNC6395 Tracking)',
'url': 'https://www.mandiant.com/resources/insights/unc6395-salesforce-campaign'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (EU '
'customer data)',
'CCPA (California '
'residents)',
'Industry-specific '
'compliance (e.g., SOC 2)'],
'regulatory_notifications': ['Likely ongoing (not '
'publicly detailed)']},
'response': {'communication_strategy': ['Public blog posts by Cloudflare, '
'Zscaler, Palo Alto Networks',
'Customer advisories with actionable '
'steps (e.g., disconnect Salesloft, '
'rotate credentials)',
'Google’s updated threat advisory '
'(August 2024)'],
'containment_measures': ['Salesloft revoked all '
'Drift-to-Salesforce connections '
'(pre-notification)',
'Cloudflare disabled Drift user '
'accounts and purged Salesloft software',
'Google revoked compromised Workspace '
'tokens and disabled Drift integration',
'Salesloft took Drift platform offline '
'and paused Salesforce integrations'],
'enhanced_monitoring': ['Likely implemented by affected '
'companies (not detailed)'],
'incident_response_plan_activated': ['Cloudflare (August 23)',
'Zscaler',
'Palo Alto Networks',
'Salesloft',
'Google'],
'recovery_measures': ['Re-establishing secure integrations '
'(timeline unclear)',
'Enhanced monitoring of '
'Salesforce/Salesloft environments'],
'remediation_measures': ['Credential rotation (Cloudflare '
'rotated 104 API tokens)',
'Customer notifications via '
'email/dashboard banners (Cloudflare, '
'Palo Alto Networks)',
'Forensic investigations across '
'affected organizations',
'Salesforce instance audits for '
'unauthorized access'],
'third_party_assistance': ['Mandiant (for Salesloft '
'investigation)',
'Google Threat Intelligence']},
'stakeholder_advisories': ['Disconnect Salesloft Drift integration '
'immediately.',
'Treat all Drift-stored authentication tokens as '
'compromised.',
'Audit Salesforce for unauthorized data exports '
'(August 8–18, 2024).',
'Rotate all credentials/secrets shared via '
'Salesforce cases or Drift chats.',
'Monitor for follow-on attacks leveraging stolen '
'AWS/Snowflake tokens.'],
'threat_actor': 'UNC6395 (tracked by Mandiant)',
'title': 'Widespread Data Theft Campaign Targeting Salesforce via Salesloft '
'Drift Integration',
'type': ['Data Breach', 'Supply Chain Attack', 'Credential Theft'],
'vulnerability_exploited': ['Weak Authentication Token Management in Drift',
'Over-Permissive Salesforce Integrations']}