Cloudflare Confirms Impact from Salesloft Drift Breach
On Tuesday, Cloudflare disclosed its involvement in the Salesloft Drift breach, confirming that cybercriminals obtained 104 API tokens associated with its platform. Despite the breach, Cloudflare’s security team, led by Sourov Zaman, Craig Strubhart, and Grant Bourzikas, reported no detected suspicious activity linked to the compromised tokens. In a proactive approach, the company has rotated all affected tokens as a preventative measure.
Cloudflare has reached out directly to customers whose data may have been compromised through email notifications and dashboard banners. The breach was part of a larger incident where threat actors accessed Salesforce instances used by several cybersecurity firms including Zscaler, Palo Alto Networks, SpyCloud, and Tanium. The attackers were able to exfiltrate customer data, notably names, email addresses, job titles, and location information. However, their main target appeared to be sensitive access credentials—AWS keys, VPN tokens, and Snowflake credentials—potentially leaving victim environments vulnerable to further attacks.
Zaman and his colleagues explained that Cloudflare utilizes Salesforce to manage customer interactions and service tracking. Their investigation indicated that the breach occurred between August 12-17, 2025, after initial reconnaissance on August 9, 2025. The analysis revealed that the exposed data primarily consisted of Salesforce case objects, which include customer support tickets and their related content.
Critical to note is that the case objects contain client contact details and communications with Cloudflare’s support team, while attachments were not part of the exposure. The security team warned that sensitive information shared in support ticket text fields—including keys and logs—should be considered compromised.
Cloudflare, along with other affected organizations, anticipates that the stolen information may lead to coordinated, targeted attacks against both the company and its customers. Moreover, the attackers reportedly took advantage of their Salesforce access to understand the operational dynamics of Cloudflare’s customer support system, potentially enabling future intrusions.
Despite the breach, Cloudflare has asserted that its core services and infrastructure remain uncompromised. The firm has also communicated its proactive strategies to mitigate future incidents and has shared indicators of compromise relevant to affected organizations utilizing SaaS applications or third-party integrations.
In a related development, Palo Alto Networks has reported similar activities by the attackers, noting that they executed reconnaissance and data exfiltration akin to Cloudflare’s experience. Other security firms, including Proofpoint and Rubrik, have also confirmed their exposure to the Salesloft Drift incident.
The implications of this breach are significant, highlighting the persistent threat landscape facing SaaS providers. Leveraging the MITRE ATT&CK framework, tactics such as initial access and data theft were clearly employed by the adversaries, underscoring the need for robust cybersecurity measures across the industry. As organizations continue to integrate third-party applications into their operations, vigilance remains essential.
For ongoing updates on data breaches and cybersecurity threats, interested parties are encouraged to subscribe to breaking news alerts.
