The fallout from the Salesloft supply-chain attack continues to expand, with cybersecurity giants Cloudflare and Palo Alto Networks now confirming they were also victims of the widespread data breach. The attack, which originated from the compromise of Salesloft’s Drift platform, has allegedly led to the unauthorized access of sensitive customer information from the Salesforce environments of these major tech companies. This development follows the recent disclosure of a similar breach at Zscaler, indicating a broad and opportunistic campaign by the threat actors.
The two newly disclosed victims are major players in the cybersecurity industry, providing critical services to a vast number of global organizations. The impact of the breach appears to vary between the two companies, with both stating that their core products and services were not affected by the incident.
- Cloudflare 🇺🇸: A San Francisco-based company that is a global leader in web performance and security services, providing content delivery network services, DDoS mitigation, and internet security.
- Palo Alto Networks 🇺🇸: A Santa Clara-based multinational cybersecurity company that is a leading provider of advanced firewalls and cloud-based security solutions.
The threat actors, identified as UNC6395, allegedly exfiltrated data by using compromised OAuth tokens from the Salesloft Drift integration to access the companies’ Salesforce instances. In the case of Cloudflare, the exposed information reportedly includes customer contact details and the content of support cases, which could potentially contain sensitive information like API tokens, keys, or passwords shared by customers. Palo Alto Networks has stated that the breach primarily exposed business contact information and details from some support cases. Both companies have confirmed they have taken steps to mitigate the impact, including revoking compromised credentials, and are in the process of notifying affected customers.
