Cloudflare, a leading web infrastructure and security company, has disclosed a data breach resulting from a sophisticated supply chain attack targeting the Salesloft Drift chatbot integration. This incident is part of a broader campaign that has compromised numerous organizations worldwide.
Incident Overview
Between August 12 and August 17, 2025, an unauthorized entity, identified by Cloudflare’s intelligence team as GRUB1, accessed the company’s Salesforce environment. Salesforce serves as Cloudflare’s platform for customer support and internal case management. The breach was facilitated through stolen OAuth tokens associated with the Salesloft Drift chatbot, which integrates with Salesforce to enhance customer interactions.
Scope of the Breach
The attackers exfiltrated data from Salesforce case objects, primarily comprising customer support tickets. The compromised information includes:
– Customer Contact Details: Names, email addresses, and phone numbers associated with support cases.
– Case Subject Lines and Correspondence: The content of communications between Cloudflare and its customers.
Notably, while Cloudflare does not solicit sensitive information such as credentials or API keys through support tickets, some customers may have inadvertently included such data in their communications. Consequently, any credentials, logs, or sensitive information shared via this channel should be considered compromised. Importantly, no attachments were accessed during the breach, and Cloudflare’s core services and infrastructure remain unaffected.
Immediate Response and Mitigation
Upon discovering the breach, Cloudflare undertook several immediate actions:
1. Disabling the Compromised Integration: The Salesloft Drift integration was promptly deactivated to prevent further unauthorized access.
2. Credential Rotation: All OAuth tokens and credentials associated with third-party services connected to Salesforce were rotated.
3. Data Analysis: A thorough examination of the exfiltrated data was conducted to assess the extent of the breach.
During this analysis, Cloudflare identified 104 of its own API tokens within the compromised data. Although no suspicious activity was detected concerning these tokens, they were rotated as a precautionary measure. Customers whose data was affected were directly notified by September 2, 2025.
Broader Implications
This incident underscores the inherent risks associated with third-party integrations in the Software as a Service (SaaS) ecosystem. The Salesloft Drift supply chain attack has impacted several prominent organizations, including:
– Palo Alto Networks: The cybersecurity firm reported exposure of business contact information and internal sales data from its Customer Relationship Management (CRM) platform.
– Zscaler: The cloud security company disclosed that customer information, including names, contact details, and some support case content, was accessed.
– Google: The tech giant confirmed that a very small number of its Workspace accounts were accessed through the compromised tokens.
Timeline of Events
– August 9, 2025: Initial reconnaissance activities by the threat actor were observed.
– August 12-17, 2025: Unauthorized access and data exfiltration occurred within Cloudflare’s Salesforce environment.
– August 23, 2025: Cloudflare was officially notified of the vulnerability by Salesforce and Salesloft.
– September 2, 2025: Cloudflare completed its investigation and notified affected customers.
Cloudflare’s Commitment to Security
In a statement, Cloudflare acknowledged its responsibility for the tools it employs and expressed regret over the incident, stating, We are responsible for the choice of tools we use in support of our business. This breach has let our customers down. For that, we sincerely apologize.
The company is urging all customers to rotate any credentials shared through the support channel as a precautionary measure. This incident highlights the critical importance of rigorous oversight and security measures when integrating third-party services into organizational workflows.
Recommendations for Customers
In light of this breach, Cloudflare recommends the following actions for its customers:
1. Credential Rotation: Immediately rotate any credentials, API keys, or passwords that may have been shared through Cloudflare’s support system.
2. Monitor Account Activity: Regularly review account logs and monitor for any unusual or unauthorized activities.
3. Enhance Security Practices: Implement multi-factor authentication (MFA) and other security best practices to safeguard accounts and sensitive information.
Conclusion
The Cloudflare data breach serves as a stark reminder of the vulnerabilities inherent in third-party integrations and the supply chain. Organizations must exercise due diligence in selecting and managing these integrations, ensuring robust security protocols are in place to protect sensitive customer data.
