Several high-profile cybersecurity firms targeted in ongoing attack on Salesforce customers

A wave of high-profile cybersecurity firms, including Proofpoint, SpyCloud, Tanium, and Tenable, have confirmed data breaches involving their Salesforce environments. The disclosures are all part of the broader supply-chain attack centered on the Salesloft Drift AI chatbot integration.

Attack overview

The intrusion took place between August 8 and August 18, 2025, orchestrated by a threat actor tracked by Google’s Threat Intelligence Group (GTIG) as UNC6395. Exploiting compromised OAuth and refresh tokens tied to the Drift integration, the attacker infiltrated Salesforce instances, independently querying, mapping, and exfiltrating data via SOQL queries. Stolen credentials ranged from AWS access keys and Snowflake tokens to passwords, with multiple attempts to delete logs to obscure activity.

Google later disclosed that the breach extended beyond Salesforce, impacting other platforms connected via Drift, including Google Workspace, Slack, and cloud storage systems.

Notable victims speak out

Palo Alto Networks stated that the attack was isolated to its CRM platform and that no products or services were affected. The company's Unit 42 security team launched an investigation, confirming that the stolen data primarily included business contact information, internal sales account data, and basic support case details related to its customers.

Cloudflare became aware of suspicious activity in its Salesforce tenant in late August. The company's investigation found that the threat actor exfiltrated data from Salesforce case objects, which contain customer support tickets and associated information. Cloudflare noted that while it does not require customers to share sensitive information in support cases, "anything shared through this channel should now be considered compromised," and it urged customers to rotate any credentials they may have pasted into a support ticket. The company also found and rotated 104 of its own API tokens out of an abundance of caution.

Zscaler disclosed that unauthorized actors gained "limited access to some Zscaler's Salesforce information" through compromised Salesloft Drift credentials. The company confirmed that its products, services, and core infrastructure were not affected, and it has not yet found evidence of misuse of the exposed data.

Tenable also confirmed it was among the impacted organizations. In a blog post, Tenable stated that its investigation found an unauthorized user had access to a portion of some customer information stored in its Salesforce instance, including support case subject lines, initial descriptions, and business contact details. The company said it has no evidence the information has been misused.

Proofpoint announced that its Salesforce tenant was accessed via the compromised Drift integration. The company's investigation found no evidence that the incident affected its software, services, or customer-protected data. Proofpoint has since deactivated and removed the Drift application from its Salesforce environment.

CyberArk was also affected, but stated that its layered security program "materially reduced the potential impact" of the incident. The company said that no customer data, such as API keys, credentials, or passwords, was affected, and the data accessed was limited to business contact information and account metadata.

Industry response & broader implications

Salesloft has suspended the Drift application, revoked all related access tokens, and is coordinating with Salesforce, Mandiant, and GTIG on remediation and investigation efforts. The incident serves as a stark example of the risks of SaaS supply-chain vulnerabilities, with experts warning that OAuth tokens, once compromised, can grant attackers seamless, trusted access to critical systems.