Cloudflare is the latest company in the recent string of Slesloft Drift Breaches, part of the supply-chain attack revealed last week.
The Internet giant on Tuesday revealed that the attackers had access to a salesforce example used for internal customer case management and customer aid, including 104 cloudflair API tokens.
Claudflare was informed of violations on 23 August, and affected customers of the incident on 2 September. Before informing the attack customers, it also rotated all the 104 cloudform platform—tokens, even if it is yet to discover any suspicious activity associated with these tokens.
“Most of this information is customer contact information and basic support case data, but some customer aid interaction may reveal information about the customer’s configuration and may have sensitive information like access tokens,” Cloudflare said,
“Given that salesforce support data contains support ticket content with Cloudflare, any information that the customer may have shared with Cloudflare in our support system – including logs, tokens or passwords – should be compromised, and we are strongly shared with us through this channel.
The company’s investigation found that the danger actors stole only lessons within the salesforce case objects (including customer aid tickets and their related data, but including any attachment) between August 12 and August 17 after an initial reconnaissant phase.
These exfiltrated cases object included only lesson-based data, including:
- Salesforce case theme row
- The body of the case (which can include keys, mystery, etc., if the cloudflare is provided by the customer)
- Customer
“We believe the incident was not an isolated incident, but the danger actor intended to cut credentials and customers’ information for future attacks,” said Cloudflare.
“Given that hundreds of organizations were affected through this drift agreement, we suspect that the actor will use this information to launch target attacks against customers in affected organizations.”
Wave of salesforce data violations
Since the beginning of the year, shinyhunters Efferform Group is targeting salesforce customers in data theft attacks, using voice phishing to try employees to connect employees with malicious Oauth app with salesforce examples of their company. This strategy enabled the attackers to steal the database, which was later used to remove the victims.
Since Google first wrote about these attacks in June, many data violations have been linked to the social engineering strategy of Shinhetors. They target googleCisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH assistant Tiffany & Co.
While some security researchers have told Bleepingcomputer that the Slesloft Supply Series attacks involve similar danger actors, Google has not found any decisive evidence to add them.
Palo Alto Netws also confirmed over the weekend that the danger actors behind the salesloft drift violation stole some support data presented by the customers, including contact information and lesson comments.
The incident of Palo Alto Network was also limited to its salesforce crm and, as the company told Bleepingcomputer, it did not affect any of its products, systems or services.
The cyber security company discovered the attackers, including AWS access keys (AKIA), VPN and SSO login strings, snowflake tokens, as well as general keywords such as “Secret,” Password, “or” Key “, which can be used to break more cloud platforms to steel data in other extortion attacks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
