The ever-widening series of supply chain attacks on Salesforce instances linked to Salesloft’ Drift app has claimed a number of new victims in recent days, including Cloudflare, Palto Alto Networks, and Zscaler.

Cybersecurity firms SpyCloud and PagerDuty also said they were hit by the UNC6395 threat group that exploited a vulnerability in Salesloft Drift OAuth integration with Salesforce to steal sensitive information from reportedly hundreds of organizations.

According to the Google Threat Intelligence Group (GTIC), UNC6395 targeted Salesforce customers’ instances from August 8 through at least August 18 via compromised OAuth tokens associated with the Salesloft Drift app, which is used by sales and marketing groups to automate sales workflows.

Salesloft bought Drift early last year.

In a blog post this week, security executives with Cloudflare said bad actors accessed the company’s Salesforce instance that it uses for customer support and case management. While most of the information contained in the instance is customer contact information and support case data, “some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens,” they wrote.

“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system – including logs, tokens or passwords – should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel,” they wrote.

They also found 104 Cloudflare API tokens that had been compromised and have since rotated out.

First Recon, Then Attack

Cloudflare, which tracks the threat group as “GRUB1,” said the attackers ran an initial reconnaissance on Cloudflare August 9, then compromised and exfiltrated data from its Salesforce tenant between August 12 and 17, with the exposure limited to Salesforce case objects primarily hold customer support tickets and related data.

“Cloudflare does not request or require customers to share secrets, credentials, or API keys in support cases,” they wrote. “However, in some troubleshooting scenarios, customers may paste keys, logs, or other sensitive information into the case text fields. Anything shared through this channel should now be considered compromised.”

Palo Alto Networks CISO Marc Benoit this week wrote that the company was among hundreds of others impacted by the third-party vulnerability. The attack was isolated to its customer relationship management (CRM) platform, with the exposed data mostly involving business contact information, internal sales accounts, and “basic case data” related to customers.

The company disconnected from the Salesforce tenant after learning of the breach.

Like others, SpyCloud, another security firm, this week wrote that the data accessed by the threat actor was standard CRM information and that it disconnected the OAuth token connecting Salesloft Drift to Salesforce was disconnected.

Zscaler and PagerDuty reported similar incidents late last week.

Sensitive Data was Targeted

While most victims reports that the exfiltrated data primarily involved CRM and other customer data like contact information, GTIG researchers noted that UNC6395 also targeted “sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.”

They also pushed back at Salesloft’s statement that the threat was limited to Salesloft’s integration with Salesforce, saying that the attacker also compromised OAuth tokens for Drift Email integrations and used such tokens to access email from a small number of Google Workspace accounts.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the researchers wrote.

APIs’ Critical Role in Modern IT

In an increasingly distributed and cloud-based business environment, the central role played by APIs continues to grow, according to Mayur Upadhyaya, CEO at API monitoring firm APIContext.

“When OAuth-based APIs serve as bridges between vendors, customers, and CRMs, the risk of lateral data exposure rises sharply,” Upadhyaya said, adding that the Salesloft Drift situation “wasn’t a vulnerability in core infrastructure, it was a gap in visibility and scoped access across the digital supply chain. Enterprises need to treat these integrations as part of their operational backbone, not as plug-ins.”

They need to include proactive API conformance testing and continuous monitoring of automation and third-party flows is becoming more critical to both resilience and regulatory readiness, he said.

Threat researchers with Grip Security wrote in a blog post that the Salesloft Drift breaches are different from other recent social-engineering based attacks run by the ShinyHunters threat group.

“The spotlight has finally swung toward the integration layer, and what’s emerging should worry every SaaS security leader,” the researchers wrote. “This one isn’t just another credential theft story; it’s more calculated. Attackers didn’t just gain access; they systematically exported sensitive data from hundreds of Salesforce instances. However, because the initial compromise involved OAuth tokens, not credentials, attackers bypassed logins, slipped past MFA [multifunction authentication], and operated undetected until the data was long gone.”

Attacks Signal a Shift

The Salesloft Drift attacks are a shift in tactics, they wrote.

“This wasn’t about tricking users, but exploiting the connection and permissions between applications,” the researchers wrote, pointing to GTIG’s finding that the attacks wasn’t limited to Salesforce. “Other Drift-connected integrations, including email, were also impacted. That token, once issued, became a master key used to quietly unlock Salesforce data across multiple tenants. No phishing required. Just a compromised integration and an exposed token.”

When talking about SaaS security, most conversations focus on the apps themselves. However, more attention needs to be paid to exposures between apps that are found in the integrations, permissions, and “trust relationships.”

“The rise of these attacks points to a blind spot,” according to Grip Security. “It’s not just about shadow SaaS anymore. It’s about shadow integrations: the connected web of app relationships that no one is monitoring. Sales teams connect Drift to Salesforce. Marketing layers in analytics tools. Customer support installs help desk apps. One misconfigured integration, one breached app, and your Salesforce tenant becomes the exit ramp for exfiltration.”

The Salesloft breach “underscores how vulnerable SaaS environments become when integrations aren’t monitored, scoped, or continuously reviewed,” they wrote.

How to Scan for Secrets

Google’s recommendations to organizations includes running scanning tools across Salesforce data to detect exposed secrets and hardcoded credentials. GitGuardian on Wednesday published a guide for doing so.

“The breach demonstrates that attackers are systematically harvesting credentials from compromised business systems, and as Cloudflare discovered, they’re finding them,” wrote Guillaume Valadon, staff cybersecurity researcher for GitGuardian, noting that attackers on August 9 unsuccessfully tried to verify a token against a Cloudflare customer tenant. “This shows that hardcoded secrets discovered in previous attacks were already being weaponized against other targets.”