Incident Types: The types of cybersecurity incidents that have occurred include Ransomware, Cyber Attack and Breach.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with cloudflare (august 23), incident response plan activated with zscaler, incident response plan activated with palo alto networks, incident response plan activated with salesloft, incident response plan activated with google, and third party assistance with mandiant (for salesloft investigation), third party assistance with google threat intelligence, and containment measures with salesloft revoked all drift-to-salesforce connections (pre-notification), containment measures with cloudflare disabled drift user accounts and purged salesloft software, containment measures with google revoked compromised workspace tokens and disabled drift integration, containment measures with salesloft took drift platform offline and paused salesforce integrations, and remediation measures with credential rotation (cloudflare rotated 104 api tokens), remediation measures with customer notifications via email/dashboard banners (cloudflare, palo alto networks), remediation measures with forensic investigations across affected organizations, remediation measures with salesforce instance audits for unauthorized access, and recovery measures with re-establishing secure integrations (timeline unclear), recovery measures with enhanced monitoring of salesforce/salesloft environments, and communication strategy with public blog posts by cloudflare, zscaler, palo alto networks, communication strategy with customer advisories with actionable steps (e.g., disconnect salesloft, rotate credentials), communication strategy with google’s updated threat advisory (august 2024), and enhanced monitoring with likely implemented by affected companies (not detailed)..

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Mobile applications, Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing), Compromised IoT Devices (home routers, IP cameras and DVRs).

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Login Passwords, Authentication Cookies, , Sensitive user data, Business Contact Information, Salesforce Case Metadata/Content, Authentication Tokens (Aws, Snowflake, Api Keys), Support Logs (May Include Sensitive Customer-Provided Data) and .

Incident Response Plan: The company's incident response plan is described as Cloudflare (August 23), Zscaler, Palo Alto Networks, Salesloft, Google, .

Third-Party Assistance: The company involves third-party assistance in incident response through Mandiant (for Salesloft investigation), Google Threat Intelligence, .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Credential rotation (Cloudflare rotated 104 API tokens), Customer notifications via email/dashboard banners (Cloudflare, Palo Alto Networks), Forensic investigations across affected organizations, Salesforce instance audits for unauthorized access, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by salesloft revoked all drift-to-salesforce connections (pre-notification), cloudflare disabled drift user accounts and purged salesloft software, google revoked compromised workspace tokens and disabled drift integration, salesloft took drift platform offline and paused salesforce integrations and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Re-establishing secure integrations (timeline unclear), Enhanced monitoring of Salesforce/Salesloft environments, .

Key Lessons Learned: The key lessons learned from past incidents are The importance of monitoring and mitigating cyber threats during times of conflict, especially when physical and cybersecurity domains intersect.The legitimate nature of Cloudflared traffic makes detection particularly challenging for security teams who must differentiate between authorized administrative use and malicious exploitation.Third-party SaaS integrations introduce significant supply chain risk, especially when connected to core systems like Salesforce.,Authentication tokens in chatbot/automation platforms (e.g., Drift) require stricter access controls and rotation policies.,Over-permissive API integrations can enable large-scale data exfiltration with minimal detection.,Proactive disconnection of integrations (as done by Salesloft) can limit blast radius, but transparency is critical to maintain trust.,Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations and and increase public awareness about the risks of malicious mobile applications..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cloudflare, and Source: Sudo Rem, and Source: Dutch IT Channel, and Source: CyberScoopUrl: https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/Date Accessed: 2024-08-28, and Source: Cloudflare Blog (Postmortem)Url: https://blog.cloudflare.com/salesloft-drift-incident-august-2024Date Accessed: 2024-08-27, and Source: Zscaler AdvisoryUrl: https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-updateDate Accessed: 2024-08-26, and Source: Palo Alto Networks StatementUrl: https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/Date Accessed: 2024-08-27, and Source: Google Threat Intelligence AdvisoryUrl: https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaignDate Accessed: 2024-08-25, and Source: Mandiant (UNC6395 Tracking)Url: https://www.mandiant.com/resources/insights/unc6395-salesforce-campaignDate Accessed: 2024-08-20, and Source: Krebs on Security (Brian Krebs).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Blog Posts By Cloudflare, Zscaler, Palo Alto Networks, Customer Advisories With Actionable Steps (E.G., Disconnect Salesloft, Rotate Credentials) and Google’S Updated Threat Advisory (August 2024).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Disconnect Salesloft Drift Integration Immediately., Treat All Drift-Stored Authentication Tokens As Compromised., Audit Salesforce For Unauthorized Data Exports (August 8–18, 2024)., Rotate All Credentials/Secrets Shared Via Salesforce Cases Or Drift Chats., Monitor For Follow-On Attacks Leveraging Stolen Aws/Snowflake Tokens., Cloudflare: Notified Affected Customers Via Email/Dashboard Banners; Urged Credential Rotation., Palo Alto Networks: Contacting Customers With Potentially Exposed Sensitive Data., Zscaler: Published Guidance For Customers To Review Exposed Support Cases., Salesloft: Advises All Customers To Disconnect Drift-Salesforce Integration. and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Mandiant (For Salesloft Investigation), Google Threat Intelligence, , Likely Implemented By Affected Companies (Not Detailed), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, Revoked All Integration Tokens, Mandatory Customer Disconnections., Cloudflare: Purged Salesloft Software, Rotated All Exposed Api Tokens, Enhanced Salesforce Logging., Google: Disabled Drift-Workspace Integration, Revoked Compromised Tokens., Industry-Wide: Reevaluation Of Third-Party Chatbot/Automation Tool Security Postures., .

Last Attacking Group: The attacking group in the last incident were an Pro-Palestinian hacktivist groups, BlackSuitRoyalAkiraScattered SpiderMedusaHunter International, UNC6395 (tracked by Mandiant) and Aisuru IoT Botnet.

Most Recent Incident Detected: The most recent incident detected was on 2023-10-07.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-08-27 (confirmations by Cloudflare, Zscaler, Palo Alto Networks).

Most Significant Data Compromised: The most significant data compromised in an incident were login passwords, authentication cookies, , Sensitive user data, Customer business contact details (names, emails, phone numbers, locations), Salesforce case data (subject lines, body text with potential keys/secrets), AWS access keys, Snowflake access tokens, Zscaler product licensing/commercial information, Support case logs (may include tokens/passwords) and .

Most Significant System Affected: The most significant system affected in an incident were Crypto Launchpad and Cloudflare serversmobile apps and Israeli websitesMobile alert apps and Hosting provider using Cloudflare's Magic Transit and Salesforce instances (via Salesloft Drift integration)Google Workspace accounts (limited to Drift-integrated emails)Cloudflare API tokens (104 identified, rotated) and Online Gaming Platforms (e.g., Minecraft)ISPs (AT&T, Comcast, Verizon, T-Mobile, Charter).

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was mandiant (for salesloft investigation), google threat intelligence, .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Salesloft revoked all Drift-to-Salesforce connections (pre-notification)Cloudflare disabled Drift user accounts and purged Salesloft softwareGoogle revoked compromised Workspace tokens and disabled Drift integrationSalesloft took Drift platform offline and paused Salesforce integrations.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Zscaler product licensing/commercial information, Sensitive user data, authentication cookies, AWS access keys, Snowflake access tokens, Support case logs (may include tokens/passwords), Customer business contact details (names, emails, phone numbers, locations), login passwords, Salesforce case data (subject lines and body text with potential keys/secrets).

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 104.0.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations, and increase public awareness about the risks of malicious mobile applications., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Audit all third-party integrations with Salesforce/CRM systems for least-privilege access. and Implement automated token rotation for all API keys/secrets stored in SaaS platforms..

Most Recent Source: The most recent source of information about an incident are Zscaler Advisory, Palo Alto Networks Statement, Cloudflare, Krebs on Security (Brian Krebs), Google Threat Intelligence Advisory, Cloudflare Blog (Postmortem), Sudo Rem, CyberScoop, Mandiant (UNC6395 Tracking) and Dutch IT Channel.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/, https://blog.cloudflare.com/salesloft-drift-incident-august-2024, https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-update, https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/, https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaign, https://www.mandiant.com/resources/insights/unc6395-salesforce-campaign .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Disconnect Salesloft Drift integration immediately., Treat all Drift-stored authentication tokens as compromised., Audit Salesforce for unauthorized data exports (August 8–18, 2024)., Rotate all credentials/secrets shared via Salesforce cases or Drift chats., Monitor for follow-on attacks leveraging stolen AWS/Snowflake tokens., .

Most Recent Customer Advisory: The most recent customer advisory issued was an Cloudflare: Notified affected customers via email/dashboard banners; urged credential rotation.Palo Alto Networks: Contacting customers with potentially exposed sensitive data.Zscaler: Published guidance for customers to review exposed support cases.Salesloft: Advises all customers to disconnect Drift-Salesforce integration.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing) and Mobile applications.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was August 9, 2024 (Google observed email access)Likely earlier for initial Drift compromise.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was DDoS attacks and malicious mobile applications, Insufficient access controls for Drift-Salesforce integration tokens.Lack of network segmentation between Drift and Salesforce data stores.Over-reliance on static API tokens without rotation policies.Delayed detection of bulk data exfiltration (August 8–18 activity detected later).Acquisition-related security gaps (Drift’s integration post-Salesloft acquisition)., Exploitation of vulnerable IoT devices for botnet recruitmentInsufficient DDoS mitigation capabilities in targeted ISPs.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, revoked all integration tokens, mandatory customer disconnections.Cloudflare: Purged Salesloft software, rotated all exposed API tokens, enhanced Salesforce logging.Google: Disabled Drift-Workspace integration, revoked compromised tokens.Industry-wide: Reevaluation of third-party chatbot/automation tool security postures..