Cloudflare, Palo Alto Hit by Salesloft Drift Breach
🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.
