Cloudflare Added to List of Salesloft Drift Breach Victims

A series of data breaches linked to the theft of access tokens from the marketing software provider Salesloft’s Drift AI chat agent now includes Cloudflare among what investigators estimate to be hundreds of victims. This breach has drawn significant attention due to the extensive customer data potentially compromised.

According to Cloudflare’s recent statement, the breach was executed using stolen OAuth access tokens that gave the attacker access to Cloudflare’s Salesforce customer relationship management system, allowing sensitive customer data to be extracted. Additional breaches also occurred affecting Salesloft clients Zscaler and Palo Alto Networks, both of which issued security alerts regarding unauthorized access following notifications from Salesloft.

Threat analysis from Google Cloud’s Mandiant incident response group indicates that the data theft may have occurred between August 8 and August 18. Cloudflare specified that the compromised data primarily consisted of customer support details and internal case management information, some of which could include sensitive configurations and access tokens.

In light of the breach, Cloudflare has advised customers that any data shared through its support channels should be regarded as potentially compromised, urging those affected to change their credentials without delay. This caution underscores the gravity of the situation, which has the potential to affect many businesses.

The overall impact of the Salesloft Drift breach remains uncertain, but researchers have identified that approximately 700 organizations that integrate Drift Email with Salesforce CRM are involved. Additionally, the integration of Drift Email with over fifty other applications adds layers of complexity to the breach, increasing the scope of potential data exposure.

On another front, Google has confirmed that the breach resulted in unauthorized access to some Workspace email accounts, but clarified that only those accounts configured for Drift integration were affected. All access permissions via OAuth tokens have been revoked, and Google has assured that no broader compromise of its Workspace infrastructure has taken place.

Despite the widespread nature of these breaches, only a handful of affected organizations have issued alerts to their customers thus far. Cybersecurity experts, like Allan Liska from Recorded Future, have expressed concern about the potential for future data exploitation, indicating the strong possibility of targeted phishing campaigns emerging from the leaked information.

The motivations behind such widespread attacks can vary. If the goal was financial gain, the stolen data may be leveraged for ransom, while a cyber-espionage scenario could see the information suppressed from public knowledge. The nature of the stolen data, primarily comprising sales data and business contacts, may present varying levels of risk, but organizations are urged to maintain vigilance in the wake of these developments.

To better understand the potential tactics involved in this breach, relevant techniques from the MITRE ATT&CK framework include initial access, likely via phishing or exploitation of software vulnerabilities, and persistence through the use of compromised OAuth tokens. Such tactics highlight the multifaceted nature of modern cyber threats, necessitating robust incident response strategies for organizations to mitigate their risk exposure.