The ongoing cyberattack, which originated at Salesloft Drift, has ensnared multiple technology companies, including Cloudflare, PagerDuty, Palo Alto Networks, and SpyCloud. Victim organizations continue to be identified as they search for evidence of compromise or receive official notices from Salesloft and other firms involved in the response and recovery efforts. Although Salesloft initially claimed the exposure was limited to customers with Salesforce integrations, Google Threat Intelligence Group and Mandiant Consulting, a firm now assisting Salesloft, have stated that any platform integrated with Drift is potentially at risk. The exact method by which the threat group, known as UNC6395, gained initial access to Salesloft Drift remains unconfirmed by the company.
Salesloft has decided to take the Drift platform offline to expedite a comprehensive review and bolster its security. The company, which acquired Drift in February 2024, has been largely silent on the matter since the attacks began. This incident occurred shortly after Salesloft announced an agreement to merge with Clari, a competitor in the customer-relationship management space. The merger, which aims to serve over 5,000 global organizations, has been overshadowed by the cybersecurity disaster, leaving customers concerned and seeking clarity.
The fallout from the attacks has created widespread anxiety as customers try to determine if they were impacted and, if so, to what extent their data or their customers’ data was compromised. While not every Salesloft Drift customer was affected, many businesses were less fortunate. For instance, Okta confirmed it was a target, although an attempted attack on its Salesforce instance was unsuccessful. Conversely, other companies have confirmed significant exposure.
Palo Alto Networks was among the hundreds of organizations affected by the supply chain attack. The company’s incident response team, Unit 42, confirmed that the breach was contained within its Salesforce environment and did not impact any of its products or services. While most of the data stolen was business contact information, a small number of customers who included sensitive details like credentials in their case notes might have also had that data compromised.
Cloudflare also reported that any information its customers shared with the company’s support system, including logs, tokens, or passwords, should be considered compromised. The company found 104 of its API tokens in the stolen data and, as a precaution, rotated them even though no evidence of misuse was found. Cloudflare emphasized that its services and infrastructure were not compromised but issued an apology to its customers for the breach. This sentiment was echoed by other firms who were previously customers of Salesloft and Drift but still had some data exposed.
Reference: