bleepingcomputer.com
By Sergiu Gatlan
September 3, 2025
Update September 04, 06:27 EDT: Updated the list of cybersecurity companies whose Salesforce instances were breached in the Salesloft supply chain attack.
Workiva, a leading cloud-based SaaS (Software as a Service) provider, notified its customers that attackers who gained access to a third-party customer relationship management (CRM) system stole some of their data.
The company's cloud software helps collect, connect, and share data for financial reports, compliance, and audits. It had 6,305 customers at the end of last year and reported revenues of $739 million in 2024.
Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz, and more.
According to a private email notification sent to affected Workiva customers last week and seen by BleepingComputer, the threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content.
"This is similar to recent events that have targeted several large organizations. Importantly, the Workiva platform and any data within it were not accessed or compromised," the company explained. "Our CRM vendor notified us of unauthorized access via a connected third-party application."
Workiva also warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks.
"Workiva will never contact anyone by text or phone to request a password or any other secure details. All communications from Workiva come through our trusted official support channels," it said.
Salesforce data breaches
While Workiva didn't share more details regarding this attack, BleepingComputer has learned that this incident was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile companies.
Most recently, Cloudflare disclosed that it was forced to rotate 104 Cloudflare platform-issued tokens stolen by ShinyHunters threat actors, who gained access to the Salesforce instance used for customer support and internal customer case management in mid-August.
ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year, impacting companies such as Google, Cisco, Allianz Life, Farmers Insurance, Workday, Qantas, Adidas, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
More recently, the extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances and extract sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.
Using this method, ShinyHunters also gained access to a small number of Google Workspace accounts in addition to stealing Salesforce CRM data and breaching the Salesforce instances of multiple cybersecurity companies, including Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
helpnetsecurity.com Zeljka Zorz, Editor-in-Chief, Help Net Security
September 2, 2025
Zscaler, Palo Alto Networks, PagerDuty, Tanium, and SpyCloud say their Salesforce instances were accessed following the Salesloft breach.
The companies noted that attackers had only limited access to Salesforce databases, not to other systems or resources. They warned, however, that the stolen customer data could be used for convincing phishing and social engineering attacks.
The Salesloft breach
Salesloft is the company behind a popular sales engagement platform of the same name.
The company’s Drift application – an AI chat agent – can be integrated with many third-party platforms and tools, including Salesforce.
On August 26, Salesloft stated that from August 8 to August 18, 2025, attackers used compromised OAuth credentials to exfiltrate data from the Salesforce instances of customers that have set up the Drift-Saleforce integration.
Several days later, the Google Threat Intelligence Group (GTIG) confirmed that the compromise impacted other integrations, as well.
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the ‘Drift Email’ integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts,” GTIG analysts shared.
Astrix Security researchers have confirmed that the attackers used the Drift Email OAuth application for Google Workspace to exfiltrate emails and that – at least in one case – they tried to access S3 buckets whose names have been likely extracted from compromised Salesforce environments.
Similarly, WideField threat researchers have observed suspicious log event activity across multiple customers using its security platform, pointing to attackers rifling through Salesforce databases and Gmail accounts.
Salesloft breach victims Zscaler
How UNC6395 accessed emails (Source: WideField)
Zscaler, Palo Alto Networks and the other companies mentioned above are just some of the 700+ companies impacted by this breach.
While the stolen customer information can be valuable, GTIG analysts say that the attackers were focused on searching for AWS access keys, passwords, and Snowflake-related access tokens, which can (and likely have been) further misused by the attackers.
What to do if your organization is on the victims list?
Salesloft has yet to reveal how the attackers managed to get their hands on the OAuth tokens they used, but the company has engaged cybersecurity experts from (Google’s) Mandiant and Coalition to help them investigate and remediate the compromise.
“We are recommending that all Drift customers who manage their own Drift connections to third-party applications via API key, proactively revoke the existing key and reconnect using a new API key for these applications. This only relates to API key-based Drift integrations. OAuth applications are being handled directly by Salesloft,” the company said on August 27, and outlined the process for updating the API keys.
Salesforce has, for the moment, disabled all integrations between Salesforce and Salesloft technologies, including the Drift app.
“Disabling the connection is a precautionary measure to help safeguard customer environments while we continue to assess and address the situation. We recognize this change may cause disruption and will provide further updates as more information becomes available,” the company noted.
Likewise, Google has disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation, and has advised organizations to “review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”
Google Mandiant incident responders have provided extensive advice on how organizations can investigate for compromise and scan for exposed secrets and hardcoded credentials.
Astrix researchers have shared additional indicators of compromise and described AWS-specific activity to look out for. WideField threat analysts have provided guidance useful to both their customers and other affected organizations.
bleepingcomputer.com
By Sergiu Gatlan
September 2, 2025
Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week.
The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens.
Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens.
"Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said.
"Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel."
The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9.
These exfiltrated case objects contained only text-based data, including:
The subject line of the Salesforce case
The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare)
Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country)
"We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added.
"Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations."
Wave of Salesforce data breaches
Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims.
Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them.
Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments.
The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services.
The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
zscaler.com August 30, 2025
Zscaler swiftly mitigates a security incident impacting Salesloft Drift, and ensuring robust protection against potential vulnerabilities.
At Zscaler, protecting your data and maintaining transparency are core to our mission to secure, simplify and accelerate businesses transformation. We are committed to keeping you informed about key developments that may impact your organization.
What Happened?
Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. This incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure.
As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.
What Information May Be Affected?
The information accessed was limited to commonly available business contact details for points of contact and specific Salesforce related content, including:
Names
Business email addresses
Job titles
Phone numbers
Regional/location details
Zscaler product licensing and commercial information
Plain text content from certain support cases [this does NOT include attachments, files, and images]After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information. If anything changes, we will provide further communications and updates.
What Did Zscaler Do?
Zscaler acted swiftly to address the incident and mitigate risks. Steps taken include:
Revoking Salesloft Drift’s access to Zscaler’s Salesforce data
Out of an abundance of caution, rotating other API access tokens.
Launching a detailed investigation into the scope of the event, working closely with Salesforce to assess and understand impacts as they continue investigating.
Implementing additional safeguards and strengthening protocols to defend against similar incidents in the future.
Immediately launched a third party risk management investigation for third party vendors used by Zscaler.
Zscaler Customer Support team has further strengthened customer authentication protocol when responding to customer calls to safeguard against potential phishing attacks.What You Can Do
Although the incident’s scope remains limited (as stated above) and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details.
Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Always verify the source of communication and never disclose passwords or financial data via unofficial channels.
Zscaler Support will never request authentication or authorization details through unsolicited outreach, including phone calls or SMS. All official Zscaler communications come from trusted Zscaler channels. Please exercise caution and report any suspicious phishing activity to security@zscaler.com.