Data leak through Salesloft: Cloudflare, Palo Alto, Zscaler affected

A security problem at Salesloft Drift, a company that provides AI chatbots for customers, allowed attackers to steal access tokens to Salesforce instances, among others. The criminals from the UNC6395 group used these to tap into customer data in the accessible systems. More and more affected companies are coming forward. These include large and well-known companies such as Cloudflare, Palo Alto and Zscaler in addition to Google.

Google initially went public with this and followed it up on the weekend by stating that not only the Salesloft Drift Salesforce integration was affected, but also other integrations such as "Salesloft Drift Email" made OAuth tokens available to attackers, which they could use to gain unauthorized access to the services. Salesloft has since withdrawn the tokens and those affected must create new ones.

Many companies affected

Cloudflare explains the extent of the data leak at Salesforce in a blog post. According to this, it was essentially possible to access customer contact information and simple support case information. However, in some cases, support interactions may have included customer configuration information and even sensitive data such as access tokens. Any information that customers have shared with Cloudflare support in Salesforce should be considered compromised, Cloudflare discusses. The company also advises customers to renew their access data. During the analysis, Cloudflare analysts came across 104 API keys for which no suspicious activity was detected, but which were rotated for security reasons. Cloudflare infrastructure was not compromised in the incident.

Palo Alto Networks is also among those affected and writes in a blog post that the Unit 42 team of experts investigated the incident. It turned out that the incident was limited exclusively to Palo Alto's CRM platform. No network products or services were affected. Data extracted could only include business contact information, internal sales accounts and rudimentary customer support case information. A limited number of customers whose data may have been exposed will be contacted.

It was announced on Tuesday that Zscaler was also among the victims. According to the Zscaler blog, criminals also used compromised access tokens to gain access to the company's Salesforce instances and were able to view customer data. This includes names, business email addresses, job titles, phone numbers, location information, data on licensed Zscaler products and commercial information, as well as plain text information on specific support cases – without attachments, files and images.

Smaller, less well-known companies have also reported potential data leakage through the Salesloft Drift vulnerability. These include PagerDuty, SpyCloud and Tanium. Numerous other companies are likely to report this to their customers, with hundreds potentially affected by the incidents.

(dmk)