Full Report
Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data.
Analysis Summary
# Incident Report: Salesloft Drift Supply Chain Data Theft
## Executive Summary
A large-scale, systemic data theft campaign targeting Salesforce instances, orchestrated via the third-party AI platform Salesloft Drift, resulted in the exfiltration of sensitive data, including customer credentials and access tokens, from numerous organizations globally, including Cloudflare, Zscaler, and Palo Alto Networks. The threat actor, tracked as UNC6395, exploited legitimate integration pathways to systematically export data over a ten-day period in August 2025. Response actions focused on credential rotation, platform disarmament, and customer notification.
## Incident Details
- **Discovery Date:** Notification to affected parties occurred on or around August 23, 2025 (Salesforce/Salesloft notified Cloudflare). The campaign ran between August 8 and August 18, 2025.
- **Incident Date:** August 8, 2025 – August 18, 2025 (Data Exfiltration Window).
- **Affected Organization:** Salesloft (via their acquired tool, Drift); indirect impact on hundreds of their customers including Cloudflare, Zscaler, and Palo Alto Networks.
- **Sector:** Technology (SaaS/Cloud Infrastructure/Security).
- **Geography:** Global (involving globally operating tech firms).
## Timeline of Events
### Initial Access
- **Date/Time:** Attack reconnaissance started around August 9, 2025.
- **Vector:** Stolen credentials used to compromise the Salesloft Drift platform, which was integrated with customer Salesforce instances. This is described as a supply chain attack targeting third-party integrations.
- **Details:** Threat actor UNC6395 targeted data stored *within* corporate Salesforce instances connected to Salesloft Drift.
### Lateral Movement
- **Details:** The movement occurred *within* the victims' Salesforce environments, where the actors systematically exported large volumes of data. The ultimate goal appears to have been stealing further secrets and tokens (AWS access keys, Snowflake access tokens) for subsequent compromise across environments.
### Data Exfiltration/Impact
- **Details:** Sensitive data was exfiltrated between August 12 and August 17, 2025. Compromised data fields included Salesforce case subject lines, case bodies (which may have contained secrets/logs shared by customers), and customer contact information (name, email, phone, domain). Cloudflare specifically confirmed 104 API tokens were exfiltrated.
### Detection & Response
- **Details:** Incident responders from Mandiant warned about the activity for over a week. Salesforce and Salesloft notified affected customers (like Cloudflare) around August 23. Affected companies conducted investigations, rotated compromised credentials, and disabled/removed Salesloft software. Salesloft took the Drift platform offline and paused the Salesforce-Salesloft integration.
## Attack Methodology
- **Initial Access:** Supply chain exploitation via the Salesloft Drift third-party AI integration connected to Salesforce.
- **Persistence:** Not explicitly detailed, but system access was maintained long enough to systematically export large data volumes over several days.
- **Privilege Escalation:** Not explicitly detailed, but the attackers achieved sufficient access within the Salesforce environment to export sensitive case data and credentials.
- **Defense Evasion:** Utilizing a seemingly trusted third-party integration pathway (Drift) to conduct systematic data harvesting without immediate detection within the victim environments.
- **Credential Access:** Directly accessing and stealing credentials, AWS access keys, and Snowflake access tokens stored within Salesforce case data.
- **Discovery:** Reconnaissance was conducted on August 9, 2025, to map out accessible data.
- **Lateral Movement:** Movement between data stores *within* the compromised Salesforce instances to maximize data collection.
- **Collection:** Systematically exporting large volumes of data from numerous Salesforce instances.
- **Exfiltration:** Data theft conducted between August 12-17.
- **Impact:** Theft of sensitive credentials, operational secrets, and customer records, resulting in widespread exposure across multiple high-profile tech firms.
## Impact Assessment
- **Financial:** Not quantified, but significant costs associated with incident response, customer notification, and credential replacement are implied for all affected parties.
- **Data Breach:** Sensitive customer contact information, support ticket details, and potentially harmful secrets/tokens (API tokens, AWS keys, Snowflake tokens). Over 700 companies estimated to be attacked.
- **Operational:** Cloudflare disabled its Drift user account and purged related software. Salesloft took the Drift platform offline and paused integrations, causing service disruption.
- **Reputational:** Negative impact on Salesloft/Drift due to the security failure; public disclosure required from major customers like Cloudflare and Zscaler.
## Indicators of Compromise
(Note: Actual IoCs are often confidential or require remediation before publication. Based on the context, relevant behavioral IoCs are listed.)
- **Network indicators:** Large volumes of systematic data export/API calls originating from the compromised Salesloft backend systems, accessing Salesforce data. (Defanged: *[Suspicious high-volume data egress patterns targeting Salesforce APIs]*).
- **File indicators:** Not explicitly mentioned as malware was not deployed, but potentially related to configuration files or authentication artifacts associated with the compromised Drift integration token.
- **Behavioral indicators:** Unusual systematic querying and bulk export functions executed against Salesforce customer interaction and case objects during the August window.
## Response Actions
- **Containment measures:** Cloudflare disabled its Drift user account and purged all Salesloft software and browser extensions from its systems. Salesloft disconnected the Drift platform and paused the Salesforce-Salesloft integration.
- **Eradication steps:** Cloudflare rotated all 104 identified compromised API tokens. Mandiant conducted a review of the Salesloft platform.
- **Recovery actions:** Affected customers were urged to rotate credentials/tokens shared in support tickets. Salesloft worked to secure its platform pending investigation completion.
## Lessons Learned
- **Key takeaways:** Third-party B2B integration risk (supply chain attacks via trusted vendors like Salesloft Drift) presents a severe vector for accessing sensitive backend data like Salesforce instances. Credentials and secrets shared in support tickets pose a significant data leakage risk.
- **What could have been done better:** Salesforce/Salesloft likely could have improved detection of the systematic bulk extraction activity. Cloudflare noted Salesloft revoked connections *before* notifying customers, suggesting response coordination could be improved.
## Recommendations
- **Prevention measures for similar incidents:** Strictly vet and minimize the scope of access granted to third-party integrations (especially AI tools) accessing sensitive platforms like Salesforce. Implement strict data-loss prevention (DLP) policies specifically monitoring bulk data exports from critical CRM/Cloud service environments. Mandate regular, automated rotation of any stored secrets or tokens found within support documentation or case files.