What's Happening?
Cloudflare and Palo Alto Networks have reported breaches in their Salesforce instances due to a compromise via the Salesloft Drift app. The breach involved unauthorized access and data exfiltration from Salesforce tenants between August 12-17, 2025. Cloudflare's investigation revealed that the exposure was limited to Salesforce case objects, primarily consisting of customer support tickets and associated data. Palo Alto Networks also confirmed that its Salesforce data was accessed, involving business contact information and basic case data. The threat actor, identified as UNC6395, compromised OAuth tokens associated with the Salesloft Drift application, leading to systematic data exfiltration.
Why It's Important?
The breach highlights vulnerabilities in third-party integrations with major platforms like Salesforce, affecting hundreds of organizations. The compromised data could be used for targeted attacks, posing significant risks to customer privacy and business operations. Companies involved are urging customers to rotate credentials shared through compromised channels. The incident underscores the importance of robust cybersecurity measures and vigilance in monitoring third-party app integrations to prevent data breaches.
What's Next?
Cloudflare and Palo Alto Networks are taking steps to mitigate the impact by rotating compromised API tokens and reaching out to affected customers. The companies are likely to enhance security protocols and scrutinize third-party app integrations more closely. The broader cybersecurity community may see increased efforts to secure OAuth tokens and improve data protection strategies. Stakeholders will be watching for further developments and potential regulatory responses to prevent similar breaches in the future.
