Cloudflare Says Customer Support Data Impacted In Salesloft Drift Breach

‘Any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised,’ the company says in a post Tuesday.

Cloudflare disclosed Tuesday that customer support data may have been compromised in the widespread attacks targeting Salesloft Drift.

The company became the latest to confirm it was affected in the attacks involving stolen authentication tokens for Drift, a sales workflow automation application owned by Salesloft, which threat actors have used to steal data from Salesforce CRM systems.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

Google, Zscaler and Palo Alto Networks are among the other companies that have confirmed being impacted in the attacks in recent days.

In a post Tuesday, Cloudflare said that there is a potential that sensitive customer data was stolen in the attack.

“Most of [the compromised] information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens,” the Cloudflare post said.

“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel,” the post said.

CRN has reached out to Cloudflare for further comment.

The campaign was first disclosed by the Google Threat Intelligence Group on Aug. 26. Google itself has been among the victims, the company said, with a threat actor found to have used stolen tokens to “access email from a very small number of Google Workspace accounts” on Aug. 9.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the Google Threat Intelligence Group said in its post. “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”

The attacks—linked to a threat group tracked by Google threat researchers as UNC6395—are believed to have taken place between Aug. 8 and Aug. 18, according to the post.