Cloudflare and Zscaler hit in latest Salesloft Drift supply chain attack

Cloudflare believes breach part of a broader campaign to harvest credentials for future targeted attacks

Cloudflare and ZScaler have confirmed that they are both part of the recent surge of data breaches linked to the Salesloft Drift supply chain attack. These internet and cloud service businesses are unlikely to be the last of their kind affected by the Salesforce breach.

The internet infrastructure giant Cloudflare has revealed that threat actors compromised a Salesforce instance it uses internally for managing customer cases and support.

The attackers gained access to 104 Cloudflare API tokens stored within this system.

Cloudflare was first alerted to the breach on 23^rd August and informed affected customers on 2^nd September.

Before notifying customers, the company proactively rotated all exposed API tokens to prevent unauthorised use, despite finding no evidence of malicious activity connected to these tokens so far.

According to Cloudflare, the compromised information primarily consisted of customer contact details and basic support case data. However, some customer interactions included sensitive configuration details and access tokens.

"Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system-including logs, tokens or passwords-should be considered compromised," the company warned.

The investigation found that threat actors exfiltrated only text-based data stored within Salesforce case objects, including support ticket subjects, the body of the case (which may contain secrets or keys if provided by customers), and contact information like company names, emails, phone numbers, domain names, and company locations.

This data was accessed between August 12 and 17, following an initial reconnaissance phase on 9^th August.

Cloudflare believes this breach is part of a broader attack campaign intending to harvest credentials and customer information for future targeted attacks.

The incident forms part of a larger wave of attacks since early 2025, attributed to the ShinyHunters extortion group, which has targeted Salesforce customers through voice phishing (vishing).

These tactics trick employees into authorising malicious OAuth applications linked to their Salesforce instances, allowing hackers to steal databases subsequently used for extortion.

Victims have included high-profile companies such as Google, Cisco, Adidas, Allianz Life, Qantas, Farmers Insurance, Workday, and luxury groups including Louis Vuitton, Dior, and Tiffany & Co.

Zscaler discloses data breach

In a related development, cloud security firm Zscaler also disclosed a data breach resulting from the same cyberattack on Salesforce.

The attackers accessed Salesloft Drift OAuth tokens, enabling them to extract business contact details and Salesforce-related data, including full names, job titles, emails, phone numbers, location information, Zscaler product licensing, commercial details, and plaintext support case content.

Zscaler said that the breach affected Salesforce data only and did not impact any of Zscaler's products, services, systems, or infrastructure.

Despite no evidence of data misuse, the company warned customers to be vigilant against phishing attempts or social engineering attacks that could exploit the leaked information.

To mitigate risks, Zscaler revoked Salesloft Drift's access to its Salesforce data and enhanced customer authentication protocols to better defend against potential phishing.

"Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it's crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," Zscaler said.

The company also cautioned customers that it will never request authentication or authorisation details via phone or SMS.