Overview

• Cloudflare disclosed attackers accessed its Salesforce support environment, exfiltrated text from case objects between August 12 and 17, and exposed 104 platform-issued API tokens that were rotated with no misuse detected.
• Zscaler, Palo Alto Networks, PagerDuty and SpyCloud confirmed limited exposure of Salesforce records, largely business contact details and support case text, with no impact to their products or core infrastructure.
• Salesloft said Drift will be taken offline shortly after revoking tokens, while Salesforce and Google disabled Drift integrations as Google and Mandiant assess a campaign that may have impacted more than 700 organizations.
• Google Threat Intelligence confirmed the actor also used Drift Email tokens on August 9 to read email in a very small number of Google Workspace accounts configured with the integration.
• Unit 42 and others report mass exports of Salesforce objects and systematic scanning for credentials such as AWS keys and Snowflake tokens, with anti-forensics steps observed and Tor-linked infrastructure and a malicious AWS account identified.