Salesforce Drift Data Breach: Palo Alto Networks: Cloudflare, Google Impacted

Palo Alto Networks confirmed on September 2, 2025 that it was among the victims of this supply chain attack, which impacted hundreds of Salesloft Drift customers. The compromised data included business contact information, internal sales account details and basic customer case data.

Upon discovering the breach, Palo Alto Networks disconnected Drift from its Salesforce environment to mitigate further risk. Like Zscaler, it emphasized that its products and other systems remained unaffected. Cloudflare also confirmed on September 2, 2025, that it was impacted, noting that the stolen data primarily consisted of customer contact information and basic support case data.

However, some customer support interactions may have included sensitive details such as access tokens, logs or passwords. Cloudflare urged its customers to rotate any credentials shared through its support system, as these should be considered compromised. The campaign was first reported by Google’s Threat Intelligence Group on August 26, 2025.

Google itself was a victim, with attackers using stolen tokens to access email from a small number of Google Workspace accounts on August 9, 2025. Google advised all Salesloft Drift customers to treat any authentication tokens connected to the platform as potentially compromised. It recommended reviewing third-party integrations, revoking and rotating credentials and investigating connected systems for unauthorized access.

This attack follows an unrelated social engineering campaign earlier in 2025 that targeted Salesforce customers through voice phishing. That campaign affected companies like Google, Cisco, Workday, Adidas, Allianz Life, Qantas and LVMH subsidiaries including Louis Vuitton, Dior and Tiffany and Co. Unlike the current attack, the earlier campaign directly targeted Salesforce instances rather than exploiting a third-party application.

The Salesloft Drift data breach highlight the risks of third-party integrations in cloud-based customer relationship management systems. Organizations using Drift are urged to take immediate action to secure their systems by revoking compromised credentials and monitoring for suspicious activity. Salesforce Drift Data Breach underscores the importance of robust cybersecurity measures including regular audits of third-party applications and prompt credential rotation, to protect sensitive data in interconnected digital ecosystems.