Cloudflare, Zscaler among companies impacted by Salesloft Drift incident

Several large tech companies confirmed on Tuesday that information about their customers was stolen during a wide-ranging data theft incident involving a popular automation tool. 

Executives at Cloudflare, Zscaler and Palo Alto Networks published blog posts outlining how the companies have been affected by a hacking campaign targeting Salesloft Drift — a third-party AI platform that companies typically connect to data storage systems from cloud giant Salesforce.

Incident responders from Mandiant have warned for more than a week that a threat actor it tracks as UNC6395 targeted data stored on Salesforce between August 8 and August 18. 

Google incident responders said hackers were systematically exporting large volumes of data from numerous corporate Salesforce instances — with the goal of stealing sensitive credentials such as Amazon Web Services access keys and access tokens for the Snowflake cloud platform.

Atlanta-based Salesloft confirmed last week that a threat actor used stolen credentials to exfiltrate data from its customers’ Salesforce instances. The breaches were traced back to Drift, an AI chatbot company that Salesloft acquired last year. The tool is typically integrated with other systems to track engagements with customers.  

Salesloft said on Tuesday that it is now taking the Drift platform offline and previously told customers that in response to the string of data theft attacks, it is pausing the Salesforce-Salesloft integration while an investigation is conducted. 

“The disconnection of Salesloft was done as a precautionary measure initiated by Salesforce and there is no evidence of any unusual or malicious activity with the Salesloft platform,” the company said in an advisory, adding that Mandiant is conducting a review of the platform.

“Additionally, at this time, there are no indications that the Salesloft integrations are compromised or at risk.” 

Google previously told CyberScoop that more than 700 companies may have been attacked as part of the campaign. By Tuesday, Cloudflare, Zscaler and Palo Alto Networks came forward to confirm that they are among those affected. 

The hackers’ goal appears to be stealing further secrets and tokens that could be used to compromise other victim environments, according to Google. 

Cloudflare effects

Cloudflare executives said they were notified that the internet infrastructure company was affected by the campaign last week. The company uses Salesforce as a tool to support customers and store related data. 

Cloudflare’s investigation found that the hackers are conducting a sophisticated supply chain attack “targeting business-to-business third-party integrations, affecting hundreds of organizations globally that were customers of Salesloft.”

The investigation found that hackers accessed:

• The subject line of the Salesforce case.
• The body of the case (freeform text that may include information such as keys or secrets if provided by the customer to Cloudflare).
• Customer contact information (such as a company’s name, requestor email address and phone number, domain name and company country).

Some of the data stolen contains information in support tickets, and Cloudflare warned that any information a customer may have shared — like logs, tokens or passwords — should be considered compromised. Cloudflare urged customers to rotate credentials that may have been shared. 

After conducting reconnaissance on August 9, the hackers exfiltrated data between August 12-17, Cloudflare said.

Cloudflare said it searched the compromised data and found 104 Cloudflare API tokens, but it has not seen any suspicious activity related to these tokens. All of the tokens have been rotated, the company said, and all customers who had data compromised were notified. 

None of Cloudflare’s services or infrastructure were compromised due to the breach, the company said. 

Salesforce and Salesloft notified Cloudflare on August 23 about the Drift integration abuse. Cloudflare noted in its postmortem that Salesloft revoked Drift-to-Salesforce connections across its customer base before notifying customers. 

Cloudflare disabled its Drift user account and purged all Salesloft software and browser extensions from its systems. All customers that were affected were notified through email and through banners on a customers’ dashboard. 

Cloudflare urged potential victims to disconnect Salesloft, conduct a forensic investigation and more. 

“As third-party tools increasingly integrate with internal corporate data across the industry, we need to approach each new tool with careful scrutiny,” the company said. “This incident affected hundreds of organizations through a single integration point, highlighting the interconnected risks in today's technology landscape.”

More victims come forward

Cybersecurity giant Zscaler published a similar blog post over the weekend explaining that the hackers accessed customer business contact details and specific Salesforce related content, including names, business email addresses, phone numbers, location details, Zscaler product licensing and commercial information and content from some support cases. 

Palo Alto Networks, another cybersecurity firm, confirmed it was affected on Tuesday, writing that once it learned of the incident, it disconnected the Salesloft application from its Salesforce environment and began an investigation. 

Like the other victims, Palo Alto Networks said most of the data accessed was “business contact information, internal sales account and basic case data related” to the company’s customers. The company said it is reaching out to “a limited number of customers that have potentially more sensitive data exposed.”

Identity and access management company Okta said it was not affected but did observe evidence of failed attempts to use a compromised Salesloft Drift token to access an Okta Salesforce instance.

Several other companies have come forward to note that they were impacted as well. 

Google’s threat intelligence group updated a previous advisory late last week to say the scope of the compromise “is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.” 

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the incident responders said. 

Its own investigation found that a threat actor used stolen tokens to access email from a number of Google Workspace accounts on August 9. 

The accounts accessed were configured to integrate with Salesloft Drift and would not have allowed the hacker to access any other accounts, Google said. 

Google revoked the tokens and disabled the integration functionality between Google Workspace and Salesloft Drift. 

All impacted Google Workspace administrators are being notified of the incident but the company noted that there has been no compromise of Google Workspace or Alphabet itself.

Google suggested all Salesloft Drift customers "treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised."

Google officials told Recorded Future News that they do not have enough evidence to say if this campaign is tied to another string of attacks targeting Salesforce data that was uncovered in June.