Incident Types: The types of cybersecurity incidents that have occurred include Ransomware, Breach, Vulnerability and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $3.09 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with cloudflare (august 23), incident response plan activated with zscaler, incident response plan activated with palo alto networks, incident response plan activated with salesloft, incident response plan activated with google, and third party assistance with mandiant (for salesloft investigation), third party assistance with google threat intelligence, and containment measures with salesloft revoked all drift-to-salesforce connections (pre-notification), containment measures with cloudflare disabled drift user accounts and purged salesloft software, containment measures with google revoked compromised workspace tokens and disabled drift integration, containment measures with salesloft took drift platform offline and paused salesforce integrations, and remediation measures with credential rotation (cloudflare rotated 104 api tokens), remediation measures with customer notifications via email/dashboard banners (cloudflare, palo alto networks), remediation measures with forensic investigations across affected organizations, remediation measures with salesforce instance audits for unauthorized access, and recovery measures with re-establishing secure integrations (timeline unclear), recovery measures with enhanced monitoring of salesforce/salesloft environments, and communication strategy with public blog posts by cloudflare, zscaler, palo alto networks, communication strategy with customer advisories with actionable steps (e.g., disconnect salesloft, rotate credentials), communication strategy with google’s updated threat advisory (august 2024), and enhanced monitoring with likely implemented by affected companies (not detailed), and containment measures with rotation of credentials, review of salesforce login history and audit trails, revocation of unused oauth tokens, enforcement of token expiration, and remediation measures with strengthening saas environments and toolchain security, periodic review of third-party contracts for security language, enhanced monitoring of api access logs, and communication strategy with public disclosures via blogs and statements, customer advisories to rotate credentials, transparency about incident details and responsibility, and enhanced monitoring with review of salesforce event monitoring logs, hunting for suspicious login attempts and unusual data access patterns, monitoring for python/3.11 aiohttp/3.12.15 user agent string and known threat actor ip addresses, and third party assistance with fearsoff (security researchers), and containment measures with permanent fix deployed to ensure waf rules apply uniformly to all paths, and remediation measures with cloudflare validated and triaged the issue, deploying a fix on october 27, 2025, and communication strategy with public disclosure via hackerone and company statement, and third party assistance with pentera (automated penetration testing firm), and containment measures with remediation of misconfigurations by affected organizations, and remediation measures with inventory of cloud resources, remediation measures with enforcement of strict iam policies, remediation measures with automatic expiration of temporary assets, and law enforcement notified with yes (doj investigation)..

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Mobile applications, Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing), Compromised IoT Devices (home routers, IP cameras, DVRs), Compromised OAuth tokens via Salesloft Drift integration, Misconfigured security training apps (DVWA, OWASP Juice Shop and etc.).

Average Financial Loss: The average financial loss per incident is $257.50 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Login Passwords, Authentication Cookies, , Sensitive user data, Business Contact Information, Salesforce Case Metadata/Content, Authentication Tokens (Aws, Snowflake, Api Keys), Support Logs (May Include Sensitive Customer-Provided Data), , Personal Data, Medical Records, Health Insurance Info, , Business Contact Information, Support Case Data (Logs, Tokens, Passwords), Product Licensing And Commercial Information, Soql Queries, Attachments/Files/Images, , Database Credentials, Api Tokens, Cloud Keys, Server-Side Rendering Data, , Social Security data, Voter rolls and Personally identifiable information (PII).

Incident Response Plan: The company's incident response plan is described as Cloudflare (August 23), Zscaler, Palo Alto Networks, Salesloft, Google, .

Third-Party Assistance: The company involves third-party assistance in incident response through Mandiant (for Salesloft investigation), Google Threat Intelligence, , FearsOff (security researchers), Pentera (automated penetration testing firm).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Credential rotation (Cloudflare rotated 104 API tokens), Customer notifications via email/dashboard banners (Cloudflare, Palo Alto Networks), Forensic investigations across affected organizations, Salesforce instance audits for unauthorized access, , Strengthening SaaS environments and toolchain security, periodic review of third-party contracts for security language, enhanced monitoring of API access logs, Cloudflare validated and triaged the issue, deploying a fix on October 27, 2025, Inventory of cloud resources, Enforcement of strict IAM policies, Automatic expiration of temporary assets, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by salesloft revoked all drift-to-salesforce connections (pre-notification), cloudflare disabled drift user accounts and purged salesloft software, google revoked compromised workspace tokens and disabled drift integration, salesloft took drift platform offline and paused salesforce integrations, , rotation of credentials, review of salesforce login history and audit trails, revocation of unused oauth tokens, enforcement of token expiration, permanent fix deployed to ensure waf rules apply uniformly to all paths and remediation of misconfigurations by affected organizations.

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Re-establishing secure integrations (timeline unclear), Enhanced monitoring of Salesforce/Salesloft environments, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Potential (DOJ investigation ongoing).

Key Lessons Learned: The key lessons learned from past incidents are The importance of monitoring and mitigating cyber threats during times of conflict, especially when physical and cybersecurity domains intersect.The legitimate nature of Cloudflared traffic makes detection particularly challenging for security teams who must differentiate between authorized administrative use and malicious exploitation.Third-party SaaS integrations introduce significant supply chain risk, especially when connected to core systems like Salesforce.,Authentication tokens in chatbot/automation platforms (e.g., Drift) require stricter access controls and rotation policies.,Over-permissive API integrations can enable large-scale data exfiltration with minimal detection.,Proactive disconnection of integrations (as done by Salesloft) can limit blast radius, but transparency is critical to maintain trust.,Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.Third-party integrations pose significant supply chain risks, OAuth tokens must be treated with the same security as passwords, zero trust principles (e.g., token expiration, periodic revocation) are critical, API security and monitoring must be prioritized, transparency and accountability in incident response build trust.Improper handling of ACME HTTP-01 challenge paths can create unintended bypass vectors in WAF systems. Regular audits of edge network logic are necessary to prevent similar vulnerabilities.Organizations must inventory all cloud resources, enforce least-privilege IAM policies, and automatically expire temporary assets to mitigate risks from misconfigured non-production systems.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Strengthen SaaS environments and toolchain security., Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations, and increase public awareness about the risks of malicious mobile applications., Periodically revisit third-party contracts to include security language (breach notification, right to audit, data handling, sub-processor transparency)., Adopt a zero trust mindset for third-party applications and SaaS., Cloudflare customers were advised that no action was required post-fix. Organizations should verify WAF rule consistency across all paths, including ACME challenge directories., Educate employees on the risks of storing sensitive data in insecure fields (e.g., support case notes)., Rotate credentials and revoke unused OAuth tokens., Enforce token expiration and periodic token refreshes., Conduct thorough reviews of Salesforce login history, audit trails, and API access logs for unusual activity. and Enhance monitoring of API calls and SOQL queries for suspicious patterns..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cloudflare, and Source: Sudo Rem, and Source: CyberScoopUrl: https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/Date Accessed: 2024-08-28, and Source: Cloudflare Blog (Postmortem)Url: https://blog.cloudflare.com/salesloft-drift-incident-august-2024Date Accessed: 2024-08-27, and Source: Zscaler AdvisoryUrl: https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-updateDate Accessed: 2024-08-26, and Source: Palo Alto Networks StatementUrl: https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/Date Accessed: 2024-08-27, and Source: Google Threat Intelligence AdvisoryUrl: https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaignDate Accessed: 2024-08-25, and Source: Mandiant (UNC6395 Tracking)Url: https://www.mandiant.com/resources/insights/unc6395-salesforce-campaignDate Accessed: 2024-08-20, and Source: Krebs on Security (Brian Krebs), and Source: DemandSage, and Source: Cloudflare Blog, and Source: Palo Alto Networks Unit 42 Threat Brief, and Source: Zscaler Statement, and Source: Evan Schuman (CSO Online), and Source: FearsOff Research, and Source: Cloudflare HackerOne Report, and Source: Pentera Investigation, and Source: U.S. Department of Justice (DOJ) court filing.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Blog Posts By Cloudflare, Zscaler, Palo Alto Networks, Customer Advisories With Actionable Steps (E.G., Disconnect Salesloft, Rotate Credentials), Google’S Updated Threat Advisory (August 2024), Public disclosures via blogs and statements, customer advisories to rotate credentials, transparency about incident details and responsibility and Public disclosure via HackerOne and company statement.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Disconnect Salesloft Drift Integration Immediately., Treat All Drift-Stored Authentication Tokens As Compromised., Audit Salesforce For Unauthorized Data Exports (August 8–18, 2024)., Rotate All Credentials/Secrets Shared Via Salesforce Cases Or Drift Chats., Monitor For Follow-On Attacks Leveraging Stolen Aws/Snowflake Tokens., Cloudflare: Notified Affected Customers Via Email/Dashboard Banners; Urged Credential Rotation., Palo Alto Networks: Contacting Customers With Potentially Exposed Sensitive Data., Zscaler: Published Guidance For Customers To Review Exposed Support Cases., Salesloft: Advises All Customers To Disconnect Drift-Salesforce Integration., , Customers urged to rotate credentials, review Salesforce logs for suspicious activity, and treat any shared support case data as compromised., Rotate credentials, monitor for phishing/smishing/vishing attacks using exfiltrated data, review Salesforce audit logs for unusual activity. and Cloudflare confirmed no evidence of malicious exploitation and stated no customer action was required..

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Mandiant (For Salesloft Investigation), Google Threat Intelligence, , Likely Implemented By Affected Companies (Not Detailed), , Review of Salesforce Event Monitoring logs, hunting for suspicious login attempts and unusual data access patterns, monitoring for Python/3.11 aiohttp/3.12.15 user agent string and known threat actor IP addresses, FearsOff (security researchers), Pentera (automated penetration testing firm).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, Revoked All Integration Tokens, Mandatory Customer Disconnections., Cloudflare: Purged Salesloft Software, Rotated All Exposed Api Tokens, Enhanced Salesforce Logging., Google: Disabled Drift-Workspace Integration, Revoked Compromised Tokens., Industry-Wide: Reevaluation Of Third-Party Chatbot/Automation Tool Security Postures., , Strengthen SaaS security, enforce zero trust for third-party apps, enhance API monitoring, rotate credentials, revoke unused tokens, improve third-party contract security language, Permanent fix deployed to ensure WAF rules apply uniformly to all paths, including ACME challenge directories., Remediation Of Misconfigurations, Enforcement Of Least-Privilege Iam Policies, Automatic Expiration Of Temporary Assets, .

Last Attacking Group: The attacking group in the last incident were an Pro-Palestinian hacktivist groups, BlackSuitRoyalAkiraScattered SpiderMedusaHunter International, UNC6395 (tracked by Mandiant), Aisuru IoT Botnet, BlackCat group, DOGE team members (insiders) and Unnamed advocacy group.

Most Recent Incident Detected: The most recent incident detected was on 2023-10-07.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-03-03.

Most Recent Incident Resolved: The most recent incident resolved was on 2025-10-27.

Highest Financial Loss: The highest financial loss from an incident was $3.09 billion.

Most Significant Data Compromised: The most significant data compromised in an incident were login passwords, authentication cookies, , Sensitive user data, Customer business contact details (names, emails, phone numbers, locations), Salesforce case data (subject lines, body text with potential keys/secrets), AWS access keys, Snowflake access tokens, Zscaler product licensing/commercial information, Support case logs (may include tokens/passwords), , Personal and medical data of 190 million individuals, Business contact information (names, email addresses, job titles, phone numbers, regional/location details), product licensing and commercial information, plain text content from support cases (including logs, tokens, passwords), Salesforce Object Query Language (SOQL) queries, attachments/files/images in some cases, Database credentials, API tokens, cloud keys, server-side rendering data, local file inclusion vulnerabilities, Social Security data, Voter rolls, Private data of ~1 and000 individuals.

Most Significant System Affected: The most significant system affected in an incident were Crypto Launchpad and Cloudflare serversmobile apps and Israeli websitesMobile alert apps and Salesforce instances (via Salesloft Drift integration)Google Workspace accounts (limited to Drift-integrated emails)Cloudflare API tokens (104 identified, rotated) and Online Gaming Platforms (e.g., Minecraft)ISPs (AT&T, Comcast, Verizon, T-Mobile, Charter) and and and and Cloud storage (S3, GCS, Azure Blob)Secrets ManagerContainer registriesAdmin-controlled environments and .

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was mandiant (for salesloft investigation), google threat intelligence, , FearsOff (security researchers), Pentera (automated penetration testing firm).

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Salesloft revoked all Drift-to-Salesforce connections (pre-notification)Cloudflare disabled Drift user accounts and purged Salesloft softwareGoogle revoked compromised Workspace tokens and disabled Drift integrationSalesloft took Drift platform offline and paused Salesforce integrations, Rotation of credentials, review of Salesforce login history and audit trails, revocation of unused OAuth tokens, enforcement of token expiration, Permanent fix deployed to ensure WAF rules apply uniformly to all paths and Remediation of misconfigurations by affected organizations.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Database credentials, API tokens, cloud keys, server-side rendering data, local file inclusion vulnerabilities, Support case logs (may include tokens/passwords), authentication cookies, AWS access keys, Customer business contact details (names, emails, phone numbers, locations), Zscaler product licensing/commercial information, Personal and medical data of 190 million individuals, Salesforce case data (subject lines, body text with potential keys/secrets), Business contact information (names, email addresses, job titles, phone numbers, regional/location details), product licensing and commercial information, plain text content from support cases (including logs, tokens, passwords), Salesforce Object Query Language (SOQL) queries, attachments/files/images in some cases, login passwords, Snowflake access tokens, Sensitive user data, Social Security data, Voter rolls, Private data of ~1 and000 individuals.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 190.0M.

Highest Fine Imposed: The highest fine imposed for a regulatory violation was $96.9 million (related to another incident).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Potential (DOJ investigation ongoing).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact., Third-party integrations pose significant supply chain risks, OAuth tokens must be treated with the same security as passwords, zero trust principles (e.g., token expiration, periodic revocation) are critical, API security and monitoring must be prioritized, transparency and accountability in incident response build trust., Improper handling of ACME HTTP-01 challenge paths can create unintended bypass vectors in WAF systems. Regular audits of edge network logic are necessary to prevent similar vulnerabilities., Organizations must inventory all cloud resources, enforce least-privilege IAM policies, and automatically expire temporary assets to mitigate risks from misconfigured non-production systems.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Educate employees on the risks of storing sensitive data in insecure fields (e.g., support case notes)., Strengthen SaaS environments and toolchain security., Periodically revisit third-party contracts to include security language (breach notification, right to audit, data handling, sub-processor transparency)., Cloudflare customers were advised that no action was required post-fix. Organizations should verify WAF rule consistency across all paths, including ACME challenge directories., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Inventory all cloud resources, Enforce strict IAM policies, Automatically expire temporary assets, Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations, and increase public awareness about the risks of malicious mobile applications., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Adopt a zero trust mindset for third-party applications and SaaS., Isolate testing and production environments, Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Rotate credentials and revoke unused OAuth tokens., Enforce token expiration and periodic token refreshes., Conduct thorough reviews of Salesforce login history, audit trails, and API access logs for unusual activity. and Enhance monitoring of API calls and SOQL queries for suspicious patterns..

Most Recent Source: The most recent source of information about an incident are Google Threat Intelligence Advisory, DemandSage, Cloudflare Blog, U.S. Department of Justice (DOJ) court filing, Palo Alto Networks Statement, Cloudflare Blog (Postmortem), Cloudflare, Palo Alto Networks Unit 42 Threat Brief, CyberScoop, Sudo Rem, Mandiant (UNC6395 Tracking), Cloudflare HackerOne Report, Zscaler Statement, Evan Schuman (CSO Online), Zscaler Advisory, Krebs on Security (Brian Krebs), Pentera Investigation and FearsOff Research.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/, https://blog.cloudflare.com/salesloft-drift-incident-august-2024, https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-update, https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/, https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaign, https://www.mandiant.com/resources/insights/unc6395-salesforce-campaign .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Disconnect Salesloft Drift integration immediately., Treat all Drift-stored authentication tokens as compromised., Audit Salesforce for unauthorized data exports (August 8–18, 2024)., Rotate all credentials/secrets shared via Salesforce cases or Drift chats., Monitor for follow-on attacks leveraging stolen AWS/Snowflake tokens., Customers urged to rotate credentials, review Salesforce logs for suspicious activity, and treat any shared support case data as compromised., Cloudflare confirmed no evidence of malicious exploitation and stated no customer action was required., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Cloudflare: Notified affected customers via email/dashboard banners; urged credential rotation.Palo Alto Networks: Contacting customers with potentially exposed sensitive data.Zscaler: Published guidance for customers to review exposed support cases.Salesloft: Advises all customers to disconnect Drift-Salesforce integration., Rotate credentials, monitor for phishing/smishing/vishing attacks using exfiltrated data and review Salesforce audit logs for unusual activity.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Misconfigured security training apps (DVWA, OWASP Juice Shop, etc.), Compromised OAuth tokens via Salesloft Drift integration, Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing) and Mobile applications.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was August 9, 2024 (Google observed email access)Likely earlier for initial Drift compromise.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was DDoS attacks and malicious mobile applications, Insufficient access controls for Drift-Salesforce integration tokens.Lack of network segmentation between Drift and Salesforce data stores.Over-reliance on static API tokens without rotation policies.Delayed detection of bulk data exfiltration (August 8–18 activity detected later).Acquisition-related security gaps (Drift’s integration post-Salesloft acquisition)., Exploitation of vulnerable IoT devices for botnet recruitmentInsufficient DDoS mitigation capabilities in targeted ISPs, Stolen or misconfigured OAuth tokens, insufficient monitoring of API access, lack of zero trust principles (e.g., token expiration), third-party integration risks, Logic error in Cloudflare’s edge network where ACME path requests with non-matching tokens bypassed WAF rules entirely., Public exposure of testing apps meant for internal useOverly permissive IAM rolesDefault or unchanged credentialsLack of isolation between testing and production environments, Insider threat, Lack of oversight on data sharing, Unauthorized third-party server usage.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, revoked all integration tokens, mandatory customer disconnections.Cloudflare: Purged Salesloft software, rotated all exposed API tokens, enhanced Salesforce logging.Google: Disabled Drift-Workspace integration, revoked compromised tokens.Industry-wide: Reevaluation of third-party chatbot/automation tool security postures., Strengthen SaaS security, enforce zero trust for third-party apps, enhance API monitoring, rotate credentials, revoke unused tokens, improve third-party contract security language, Permanent fix deployed to ensure WAF rules apply uniformly to all paths, including ACME challenge directories., Remediation of misconfigurationsEnforcement of least-privilege IAM policiesAutomatic expiration of temporary assets.