5 Cybersecurity Vendors Impacted In Salesloft Drift Breach

The attacks have involved stolen authentication tokens for Salesloft-owned Drift, which threat actors have used to steal data from Salesforce CRM systems.

The list of victims impacted in the widespread attacks targeting Salesloft Drift includes a number of well-known cybersecurity vendors, according to disclosures from the vendors in recent days.

The attacks have involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems.

Cybersecurity vendors that have disclosed they were impacted in the attacks so far have included Tanium, Zscaler, Palo Alto Networks, Cloudflare and SpyCloud, though researchers have said that the list is likely to grow.

One cybersecurity vendor, Okta, has reported thwarting an attempted attack involving Salesloft Drift.

The identity security vendor said Tuesday that security measures implemented after prior breaches in 2022 and 2023 helped to fend off the attackers. Those measures included enforcing inbound IP restrictions on Salesforce, “blocking the unauthorized attempt at the front door before any access could be gained,” Okta said in the post Tuesday.

“The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said.

The Salesloft Drift campaign was first disclosed by the Google Threat Intelligence Group on Aug. 26. Google itself has been among the victims, the company said, with a threat actor found to have used stolen tokens to “access email from a very small number of Google Workspace accounts” on Aug. 9.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the Google Threat Intelligence Group said in its post. “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”

The attacks—linked to a threat group tracked by Google threat researchers as UNC6395—are believed to have taken place between Aug. 8 and Aug. 18, according to the post.

What follows are the details on five cybersecurity vendors impacted in the Salesloft Drift breach campaign.

Tanium

In a disclosure posted online on Aug. 28, Tanium said it was “recently notified that the attackers had obtained Tanium credentials from Salesloft Drift and may have been able to access Tanium’s Salesforce data.”

The company’s investigation indicated that “the threat actors had limited access to our Salesforce data and the impact of their unauthorized access to Salesloft Drift was limited to Salesforce and no other Tanium systems,” Tanium said.

Impacted customer data was “primarily limited” to common business contact information such as names, business email addresses, phone numbers and regional/location references, the company said.

“Additionally, we can confirm definitively that unauthorized access was limited to our Salesforce data and no access to the Tanium platform or any other internal systems or resources took place,” the vendor said.

Zscaler

In an Aug. 30 advisory, Zscaler disclosed that “unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler” in connection with the campaign.

The breach “allowed limited access to some Zscaler Salesforce information,” according to Zscaler. However, the compromise was restricted to “commonly available business contact details” such as names, email addresses, phone numbers and location details, the company said.

“The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure,” Zscaler said in its advisory.

SpyCloud

Identity threat protection vendor SpyCloud disclosed Monday it had been “notified of a security incident involving a third-party application that potentially resulted in unauthorized access to data from Salesforce.”

Based on its investigation, “the elements we believe were accessed are standard customer relationship management fields in Salesforce. Consumer data is not believed to have been accessed,” the company said.

“Working with other security researchers, we believe hundreds of other Salesloft customers have been impacted,” SpyCloud added.

Palo Alto Networks

Palo Alto Networks posted an advisory Tuesday confirming that it was among the victims of the Salesloft Drift attacks.

Impacted data “includes mostly business contact information, internal sales account and basic case data related to our customers,” the company said in the advisory.

In a statement provided to CRN, Palo Alto Networks noted that it was “one of hundreds of customers impacted by the widespread supply chain attack” targeting Salesloft Drift.

“Our Unit 42 investigation confirms that this situation did not affect any Palo Alto Networks products, systems, or services,” the company said in the statement.

Cloudflare

Cloudflare disclosed Tuesday that customer support data may have been compromised in the widespread attacks targeting Salesloft Drift.

“Most of [the compromised] information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens,” Cloudflare said in a post.

“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel,” the post said.