Cloudflare has confirmed a data breach linked to Salesforce through the Salesloft Drift integration, resulting in the exposure of customer support case data while keeping core systems intact.
In a recent disclosure, Cloudflare acknowledged that a supply chain attack on Salesloft Drift led to the exposure of sensitive customer support data. Despite the breach not impacting its core systems or infrastructure, the incident underscores significant vulnerabilities in third-party SaaS integrations, affecting numerous organizations across various sectors.
According to Cloudflare, unauthorized access was gained to its Salesforce environment through compromised OAuth tokens associated with the Salesloft Drift chatbot. The attackers, identified by Cloudflare as the GRUB1 group, exploited this integration—designed to facilitate customer support interactions on their website—to extract valuable data.
What Data Was Compromised
The compromised data primarily consists of Salesforce-related information, particularly “case objects” that include customer support tickets. These records typically encompass customer contact details, subject lines, and communications between Cloudflare and its clients. While no attachments were compromised, the text fields of the support cases could contain sensitive logs, configurations, or even credentials exchanged during troubleshooting.
Cloudflare’s investigation revealed the presence of 104 valid API tokens within the stolen data, which were promptly rotated. The company reported no suspicious activity linked to these tokens and notified affected customers directly regarding potential exposure.
A Broader Threat Landscape
A forensic timeline shared by Cloudflare indicates that attackers operated within its Salesforce environment for nearly a week in August 2025, engaging in reconnaissance activities before exfiltrating data via the Salesforce Bulk API. This incident is part of a larger campaign that affects numerous organizations utilizing Salesforce through Salesloft Drift, raising concerns about potential follow-up attacks such as credential abuse and targeted phishing.
Recent disclosures from companies like Palo Alto Networks, Zscaler, and PagerDuty further illustrate the widespread impact of these breaches. TransUnion also reported a related Salesforce incident affecting the data of approximately 4.4 million customers, while major tech corporations such as Google and insurers like Allianz Life and Farmers Insurance have acknowledged being targeted as well.
Cloudflare’s Actions
Upon discovering the breach, Cloudflare swiftly curtailed the compromised integration, removed all Salesloft software and browser extensions, and revoked OAuth tokens across affected platforms. The company also strengthened its monitoring, instituted new credential rotation protocols, and began re-onboarding integrations with greater oversight. Acknowledging its role in the incident, Cloudflare emphasized the need for enhanced vigilance concerning third-party connections throughout the industry.
Cybersecurity expert Cory Michal noted the significance of Cloudflare’s transparency in addressing the Salesloft Drift incident. He commended the company’s commitment to improving the security of its SaaS environments and suggested that its proactive approach sets a precedent for organizational responsibility and effective communication in the wake of supply chain compromises.
As businesses navigate an evolving threat landscape, understanding the techniques employed by adversaries is essential. The potential tactics utilized in this breach could involve various MITRE ATT&CK vectors, such as initial access through credential theft, persistence via OAuth token exploitation, and data exfiltration using legitimate APIs. This situation serves as a reminder of the vulnerabilities inherent in third-party integrations and the imperative for robust cybersecurity posture among all organizations.
