Salesloft Drift Breach Fallout: Cloudflare, Palo Alto Networks, SpyCloud, and Others Grapple with SaaS Supply Chain Attack

A sophisticated supply chain attack, stemming from leveraging the OAuth tokens from the Salesloft Drift breach, has resulted in unauthorized access to Salesforce environments across hundreds of global enterprises. Impacted vendors span cybersecurity, SaaS, cloud services, and platform providers. These affected vendors have started notifying their customers of exposure of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records.

Severity Level: High

Confirmed Affected Organizations

1. Cloudflare

• Breach Summary: Between Aug 12–17, threat actor GRUB1 accessed Cloudflare’s Salesforce case objects via compromised OAuth tokens tied to the Salesloft Drift integration. Data exposed included customer contact info, support communications, and 104 API tokens (all rotated). Attack was read-only, no infra breached.
• Impact Area: Salesforce CRM
• Status: Publicly Confirmed
• Source: https://blog.cloudflare.com/response-to-salesloft-drift-incident/

2. Palo Alto Networks

• Breach Summary: OAuth tokens obtained from Drift enabled unauthorized access to CRM metadata and sales-related support cases. Data exposure was limited to business contact information, internal sales account and basic case data related to customers. No impact to Palo Alto Networks products or services. Affected customers were contacted selectively.
• Impact Area: Salesforce CRM
• Status: Publicly Confirmed
• Source: https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/

3. Tenable

• Breach Summary: Threat actors accessed Salesforce metadata via OAuth token tied to Drift integration. Exposed fields include Tenable support case subject lines and initial descriptions, business contact info (such as names, email IDs, phone numbers, and regional/location references). No indication of deeper compromise. Tenable response actions: revoked and rotated all compromised creds, secured the systems, disabled and removed all applications integrated with Salesloft, actioned indicators of compromise, and maintained continuous monitoring.
• Impact Area: Salesforce CRM
• Status: Internal Memo (not public)
• Source: https://news.risky.biz/risky-bulletin-youtubers-unmask-and-help-dismantle-giant-chinese-scam-ring/

4. Astrix Security

• Breach Summary: Attackers used a separate OAuth pathway (not Drift) to access Astrix’s Google Workspace and AWS services via third-party app integrations. Exfiltrated access tokens were used to access cloud APIs. Astrix discovered suspicious token behavior using anomaly detection and has since hardened OAuth access policies.
• Impact Area: Google Workspace, AWS
• Status: Publicly Confirmed
• Source: https://astrix.security/learn/blog/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws/

5. Other organizations affected: SpyCloud, Tanium, PagerDuty, Exclaimer, Cloudinary.

Recommendations

1. Salesforce Environment Review

• Conduct a comprehensive audit of Salesforce login history, event monitoring logs, and API access from August 8 onward.
• Focus on the Drift Connected App and its associated connection user.
• Look for:
  • Suspicious login attempts or authentication anomalies
  • Unusual SOQL queries (UniqueQuery events) targeting sensitive objects (e.g., Account, Contact, Opportunity, Case)
  • Requests with suspicious user agents (e.g., Python/3.11 aiohttp/3.12.15)
  • Access originating from known malicious IPs linked to UNC6395
  • https://www.virustotal.com/gui/collection/52be7f1170700dfed362c3c3a751aef725ca5113614b1fb534dae9b723ead896/iocs

2. Identity Provider (IdP) Log Analysis

• Review logs from your IdP for the incident window to detect unusual login attempts or authentications into Salesforce or other SaaS platforms integrated with Drift.
• Pay attention to: Logins from unexpected geolocations, MFA bypass attempts, Sudden spikes in service account activity

3. Network and Proxy Monitoring

• Analyze network flow logs and proxy logs for:
  • Salesforce connections originating from suspicious IPs tied to this campaign
  • High-volume data transfers that deviate from normal usage baselines

4. Secret Exposure Scanning

• Use automated tools such as Trufflehog or GitLeaks to search for:
  • Hardcoded credentials in code repositories
  • Configuration files that may have been exfiltrated
  • Secrets inadvertently stored in Salesforce case attachments

5. Sensitive Data Validation

• If exfiltration is confirmed or suspected, analyze compromised data sets for:
  • Cloud credentials (AWS Access Keys, e.g., AKIA…; Snowflake credentials; OAuth tokens)
  • Generic secret indicators (password, secret, key)
  • Org-specific identifiers such as VPN, SSO, or internal login URLs

6. Credential Rotation and Containment

• Immediately rotate any credentials found or suspected to be exposed.
• Prioritize:
  • Salesforce API keys and Connected App credentials
  • Secrets previously shared in Salesforce support cases
  • OAuth tokens used by third-party integrations
  • Cloud service access keys (AWS, Snowflake, GCP, Azure, etc.)

Source:

• https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.