Cloudflare Confirms Salesforce-Linked Data Breach via Salesloft Drift
Breach Overview
Cloudflare has confirmed that its Salesforce environment was compromised in the ongoing Salesloft Drift supply chain attack, exposing sensitive customer support case data but leaving its core infrastructure untouched.
The breach stemmed from stolen OAuth tokens tied to Salesloft Drift, a chatbot used to connect website visitors with Cloudflare’s support team. The attackers, tracked as GRUB1, exploited this integration to gain access and exfiltrate support-related records.
What Data Was Accessed
The attackers accessed Salesforce case objects, which include:
- Customer contact details
- Case subject lines
- Support correspondence
Cloudflare emphasized that no file attachments were taken. However, some case text fields contained logs, configuration details, and even credentials shared during troubleshooting.
The company confirmed 104 valid API tokens were present in the stolen data. All were rotated immediately, and no malicious use was detected. Impacted customers were notified.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Attack Timeline
According to Cloudflare’s forensic review, GRUB1 operated inside its Salesforce environment for nearly a week in August 2025, performing reconnaissance before exfiltrating case data through the Salesforce Bulk API.
Cloudflare stressed that it was not alone in this wave of intrusions. Other confirmed victims include Palo Alto Networks, Zscaler, PagerDuty, TransUnion, Google, Allianz Life, Farmers Insurance, Cisco, Workday, Chanel, Qantas, and more.
Detailed event timeline (Screenshot via Cloudflare)
Cloudflare’s Response
The company responded by:
- Cutting off the compromised Salesloft integration
- Purging all Salesloft software and extensions
- Revoking OAuth tokens and rotating credentials
- Expanding monitoring and re-onboarding integrations under stricter controls
Cloudflare also acknowledged its role in selecting and relying on third-party tools, calling for stronger industry-wide oversight of SaaS integrations.
Trending: Using Favicon for OSINT
Trending: Offensive Security Tool: smugglo
Expert Perspective
Security experts praised Cloudflare’s handling of the disclosure.
“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting,” said Cory Michal, CSO at AppOmni.
He added that Cloudflare’s remediation and commitment to stronger SaaS governance “set a high bar for how organisations should communicate, remediate, and reinforce trust after supply-chain compromises.”
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: hackread.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
