Cloudflare and Palo Alto Networks have confirmed that their Salesforce environments were accessed by threat actors through the compromised Salesloft Drift application, marking the latest development in a campaign that has already impacted numerous organizations.

Cloudflare revealed it detected unusual activity in its Salesforce tenant last week. Following an internal investigation, the company confirmed that attackers had gained access and exfiltrated data between August 12–17, 2025, after initial reconnaissance observed on August 9, 2025.

According to the company, the exposure was confined to Salesforce case objects, which are primarily customer support tickets and their associated data. Importantly, no attachments were taken.

Cloudflare emphasized that it does not request or require customers to share sensitive information such as secrets, credentials, or API keys in support cases. However, in certain troubleshooting situations, customers may have included such details within case text fields. For this reason, Cloudflare urged customers to rotate any credentials shared via this channel.

As an additional precaution, the company also rotated 104 Cloudflare API tokens that were identified within the compromised dataset.

Palo Alto Networks Also Affected

In a separate disclosure, Palo Alto Networks confirmed that the same threat actor accessed its Salesforce data. The company reported that the compromised information was mostly business contact details, internal sales account data, and basic case records.

While Palo Alto noted that most of the exposed data was not highly sensitive, it stated that it is contacting a limited number of customers whose information may require closer attention.

Broader Campaign and Potential Follow-On Attacks

The breach is part of a larger campaign where attackers exploited OAuth tokens linked to the third-party Salesloft Drift app, which integrates with Salesforce.

Between August 8 and August 18, 2025, the attackers systematically exfiltrated large volumes of data, searching specifically for credentials and sensitive information, according to Google’s Threat Intelligence Group (GTIG).

Cloudflare echoed this analysis and cautioned that with hundreds of organizations compromised, attackers could leverage the stolen information for highly targeted follow-up attacks across affected companies.

This incident follows closely after Zscaler disclosed similar data exposure tied to the same campaign. While some industry experts suspect a nation-state actor may be behind the breach, GTIG has found no connection between this incident and other recent Salesforce-related attacks, such as the ShinyHunters vishing campaign.

Key Takeaway for Enterprises

This breach underscores the rising risks of third-party integrations and the potential for widespread compromise when trust in SaaS applications is abused. Organizations are urged to:

• Review and audit OAuth integrations with CRM and SaaS platforms.
• Rotate any potentially exposed credentials and API tokens immediately.
• Strengthen monitoring and incident response capabilities to detect unusual access patterns early.

As attackers continue to exploit trusted platforms and third-party applications, enterprises must remain vigilant in both governance and observability to reduce exposure and strengthen resilience.

Source: https://www.infosecurity-magazine.com/news/cloudflare-victimized-in-salesloft