Cloudflare has publicly acknowledged a security incident involving its Salesforce environment, traced back to the breach of the Salesloft Drift integration. An advanced threat actor, known as GRUB1, exploited OAuth credentials associated with this integration to extract sensitive support case data.
While crucial Cloudflare services remained unaffected, the breach did result in the exposure of sensitive customer information, including contact details, the contents of support tickets, and possibly embedded authentication tokens. This prompted immediate actions, including rotating credentials and informing impacted customers of the situation.
Scope and Technical Details of the Breach
The breach was initiated when Salesloft’s systems were compromised, enabling GRUB1 to collect OAuth tokens related to the Drift chatbot. The attack unfolded between August 12 and August 17, 2025, during which GRUB1 conducted reconnaissance and exfiltrated data through Salesforce’s REST and Bulk API 2.0 interfaces. Notable actions during this period included enumerating Salesforce objects using the stolen credentials, executing a SOQL query to retrieve extensive case data, and exfiltrating all text-based records from the Case object.
The cybercriminal utilized advanced tools such as TruffleHog-based User-Agents and Python’s aiohttp for executing parallel API calls, enhancing their operational efficiency. In total, 104 compromised Cloudflare API tokens were identified and subsequently rotated, with no further suspicious activities recorded following this action.
Impact on Cloudflare and Customers
Although the foundational infrastructure of Cloudflare remained secure, the incident raised significant concerns regarding the integrity of third-party integrations. Customer data—including email addresses, phone numbers, case subject lines, and unstructured text fields where access tokens may have been inadvertently shared—was compromised. In response, Cloudflare took swift measures by deactivating the affected Drift integration, revoking all impacted credentials, and instituting a protocol for weekly secret rotations across its external partnerships.
Customers who may have been affected were promptly notified directly and through in-dashboard alerts, urging them to rotate any potentially exposed credentials. The incident underscores the critical need for rigorous security mechanisms surrounding OAuth scopes, adherence to least-privilege access principles, and ongoing monitoring of integrated software-as-a-service (SaaS) applications.
To mitigate the risks associated with such breaches, Cloudflare has laid out several recommendations. These include disconnecting the Salesloft/Drift integration from Salesforce, implementing automated secret scanning in support case data, and enforcing IP-restricted and time-limited OAuth tokens to curtail potential vulnerabilities. Additionally, an audit of third-party applications for role-based access control compliance is advised.
The incident also highlights the necessity for organizations to adopt a proactive stance on security, particularly regarding API governance and resilience in SaaS supply chains. Cloudflare’s internal threat intelligence team, Cloudforce One, is actively investigating GRUB1’s methodologies and plans to release detailed insights on their tactics.
In a landscape where cybersecurity threats continue to proliferate, this breach reiterates the interconnected risks posed by modern SaaS integrations and emphasizes the importance of robust security measures. By sharing these insights, Cloudflare aims to enhance collective defenses across the industry and prevent similar attacks targeting support platforms.
