Unauthorized Access Leads to Data Leakage at Cloudflare and Palo Alto Networks through Salesloft Drift Incident
In a series of cybersecurity incidents, it has been revealed that the Salesforce data of several high-profile companies, including Cloudflare and Palo Alto Networks, has been accessed by an unknown threat actor.
The breach, which occurred between August 8 and August 18, was systematically carried out, with the threat actor searching for credentials, according to Google's Threat Intelligence Group (GTIG). The exposure in Cloudflare's Salesforce tenant was limited to Salesforce case objects, primarily customer support tickets and their associated data.
The threat actor, identified as UNC6395, initially compromised OAuth tokens associated with the third-party Salesloft Drift application. This allowed the actor to gain access to the Salesforce instances of the affected companies.
Similar incidents have affected various organisations using these platforms, and it is possible that further attacks could occur if the stolen data is exploited. Zscaler also admitted being impacted by the data theft campaign, a few days before Cloudflare's revelations.
Cloudflare became aware of suspicious activity in its Salesforce tenant last week, with the threat actor compromising and exfiltrating data between August 12-17, 2025. The data exfiltrated includes business contact information, internal sales accounts, and basic case data related to Cloudflare's customers.
Cloudflare suspects the threat actor will use the information obtained from this incident to launch targeted attacks against customers across the affected organisations. As a precaution, Cloudflare found 104 Cloudflare API tokens in the compromised dataset and has rotated them out.
The company has also urged customers to rotate any credentials shared with it through the case text fields, as anything shared through this channel should now be considered compromised.
Some experts suggest a nation-state actor could be behind this campaign, but GTIG has found no connection with the ShinyHunters vishing campaign targeting Salesforce customers. It is important to note that further details about the Palo Alto Networks incident were not provided in the paragraph.
This incident serves as a reminder for organisations to prioritise cybersecurity and implement robust measures to protect sensitive data. As the threat landscape continues to evolve, it is crucial for companies to stay vigilant and adapt their security strategies accordingly.
