Cloudflare Inc., Zscaler Inc. and Palo Alto Networks Inc. have become the latest companies to be affected by the Salesloft breach, a widespread Salesforce Inc.-related security incident that has been ensnaring more companies.

The breach originated in early to mid‑August 2025, when attackers exploited a vulnerability in Salesloft’s Drift AI chat integration with Salesforce, specifically harvesting OAuth and refresh tokens to access customer relationship management data. Google’s Threat Intelligence Group, tracking the threat actor as UNC6395, reports the attacks spanned roughly Aug. 8-18 and targeted numerous Salesforce instances.

As noted on Aug. 27, Salesloft provides a popular cloud platform that companies use to manage their sales efforts. The software stores data about deal opportunities, tracks the performance of customer acquisition initiatives and performs related tasks.

The breach affected a component of the platform called Drift, a chatbot that can field questions from potential customers who visit a company’s website, as well as estimate the likelihood that they will make a purchase.

Threat actors exfiltrated data, including Amazon Web Services Inc. access keys, Snowflake tokens, passwords, and support case data. Though Salesloft claims only customers using the Drift-Salesforce integration were affected, investigators warn that any platform connected to Drift should consider all tokens compromised and revoke them immediately.

Cloudflare has confirmed it was affected after being notified on Aug. 23 and has publicly disclosed how it was affected. The breach hit Cloudflare between Aug. 12 and Aug. 17, with the attackers accessing its Salesforce tenant and exfiltrated “case objects,” which include customer support tickets, subject lines, correspondence and contact info. Cloudflare found 104 application programming interface tokens in the compromised data, none of which showed misuse, but they were all rotated as a precaution.

Zscaler was able to swiftly identify that its Salesforce data was accessed via the compromised Drift tokens, with the company saying access was limited to business contact info, including names, job titles, email addresses, phone numbers, regional details and licensing and commercial information, along with plain-text support case content. The company has revoked the Drift integration, rotated API tokens and initiated a third-party risk investigation while enhancing customer authentication for support channels.

Palo Alto Networks likewise confirmed that the breach was contained to its Salesforce CRM installation. The exfiltrated data included business contact information and internal case details, but in some cases, sensitive info, such as credentials, may have been disclosed if included in support case text. The company says none of its products, systems or services were compromised and that it’s notifying affected customers.

The breaches of Zscaler and Palo Alto Networks “are particularly concerning because they raise the stakes well beyond typical SaaS compromises, especially where support tickets are involved, since they may contain sensitive materials such as API keys, credentials and archive files,” Cory Michal, software-as-a-service security expert and chief strategy officer at SaaS application security company AppOmni Inc., told SiliconANGLE via email. “For security companies, which often have privileged access and visibility into client environments, exposure of this data could create opportunities for downstream breaches, supply chain attacks and erosion of trust in the very vendors responsible for defending enterprises.”

Image: SiliconANGLE/Reve