Particle.news

Download on the App Store

Salesloft Takes Drift Offline as Cloudflare, Palo Alto Networks Join Expanding Token-Theft Fallout

Investigators say stolen Drift tokens enabled access to Salesforce case data used to hunt credentials.

Overview

  • Salesloft said Drift will be taken offline "in the very near future" to enable a full security review, after revoking active tokens tied to the chatbot.
  • Cloudflare reported exfiltration of Salesforce case text between August 12–17 and rotated 104 exposed Cloudflare API tokens out of caution.
  • Palo Alto Networks, Zscaler, PagerDuty, SpyCloud and Tanium disclosed limited exposure of contact and support-case details with no impact to core products or infrastructure.
  • Google’s Threat Intelligence Group and Mandiant attribute the spree to UNC6395/GRUB1 and estimate more than 700 organizations may be affected, with a very small number of Google Workspace email accounts accessed via Drift Email on August 9.
  • Vendors advise customers to revoke and rotate credentials, review Salesforce and integration logs from August 8 onward, and stay alert for targeted phishing or credential-abuse attempts.