Cloudflare is the most recent firm impacted in a latest string of Salesloft Drift breaches, a part of a supply-chain assault disclosed final week.
The web big revealed on Tuesday that the attackers gained entry to a Salesforce occasion it makes use of for inside buyer case administration and buyer help, which contained 104 Cloudflare API tokens.
Cloudflare was notified of the breach on August 23, and it alerted impacted clients of the incident on September 2. Earlier than informing clients of the assault, it additionally rotated all 104 Cloudflare platform-issued tokens exfiltrated throughout the breach, though it has but to find any suspicious exercise linked to those tokens.
“Most of this info is buyer contact info and primary help case knowledge, however some buyer help interactions might reveal details about a buyer’s configuration and will include delicate info like entry tokens,” Cloudflare stated.
“Provided that Salesforce help case knowledge incorporates the contents of help tickets with Cloudflare, any info {that a} buyer might have shared with Cloudflare in our help system—together with logs, tokens or passwords—must be thought-about compromised, and we strongly urge you to rotate any credentials that you’ll have shared with us by way of this channel.”
The corporate’s investigation discovered that the menace actors stole solely the textual content contained throughout the Salesforce case objects (together with buyer help tickets and their related knowledge, however no attachments) between August 12 and August 17, after an preliminary reconnaissance stage on August 9.
These exfiltrated case objects contained solely text-based knowledge, together with:
- The topic line of the Salesforce case
- The physique of the case (which can embrace keys, secrets and techniques, and so on., if supplied by the shopper to Cloudflare)
- Buyer contact info (for instance, firm title, requester’s e-mail handle and cellphone quantity, firm area title, and firm nation)
“We imagine this incident was not an remoted occasion however that the menace actor meant to reap credentials and buyer info for future assaults,” Cloudflare added.
“Provided that tons of of organizations have been affected by way of this Drift compromise, we suspect the menace actor will use this info to launch focused assaults towards clients throughout the affected organizations.”
Wave of Salesforce knowledge breaches
Because the begin of the 12 months, the ShinyHunters extortion group has been concentrating on Salesforce clients in knowledge theft assaults, utilizing voice phishing (vishing) to trick workers into linking malicious OAuth apps with their firm’s Salesforce situations. This tactic enabled the attackers to steal databases, which have been later used to extort victims.
Since Google first wrote about these assaults in June, quite a few knowledge breaches have been linked to ShinyHunters’ social engineering techniques, together with these concentrating on Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance coverage, Workday, Adidas, in addition to LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
Whereas some safety researchers have informed BleepingComputer that the Salesloft provide chain assaults contain the identical menace actors, Google has discovered no conclusive proof linking them.
Palo Alto Networks additionally confirmed over the weekend that the menace actors behind the Salesloft Drift breaches stole some help knowledge submitted by clients, together with contact data and textual content feedback.
The Palo Alto Networks incident was additionally restricted to its Salesforce CRM and, as the corporate informed BleepingComputer, it didn’t have an effect on any of its merchandise, methods, or providers.
The cybersecurity firm noticed the attackers looking for secrets and techniques, together with AWS entry keys (AKIA), VPN and SSO login strings, Snowflake tokens, in addition to generic key phrases reminiscent of “secret,” “password,” or “key,” which might be used to breach extra cloud platforms to steal knowledge in different extortion assaults.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
