Cloudflare has confirmed a data breach where a sophisticated threat actor accessed and stole customer data from the company’s Salesforce instance.
The breach was part of a wider supply chain attack that exploited a vulnerability in the Salesloft Drift chatbot integration, affecting hundreds of organizations globally.
In a detailed disclosure, Cloudflare explained that the threat actor, which its intelligence team has named GRUB1, gained unauthorized access to its Salesforce environment between August 12 and August 17, 2025.
The company uses Salesforce for customer support and internal case management. The hackers successfully exfiltrated data from Salesforce “cases,” which are primarily customer support tickets.
The compromised information was limited to the text fields within these support cases. This data includes customer contact information, case subject lines, and the body of the correspondence.
Cloudflare emphasized that while they do not request customers to share sensitive information in support tickets, any credentials, API keys, logs, or passwords that customers may have pasted into the text fields should now be considered compromised.
No attachments to the cases were accessed, and no Cloudflare services or core infrastructure were breached as a result of this incident.
As part of its response, Cloudflare conducted a search through the stolen data and discovered 104 of its own API tokens. While no suspicious activity was associated with them, these tokens have been rotated as a precaution. All customers whose data was compromised have been directly notified by Cloudflare as of September 2, 2025.
The investigation revealed that the attack began with reconnaissance on August 9, with the initial compromise occurring on August 12. The threat actor used the stolen credentials from the Salesloft Drift integration to access and systematically explore Cloudflare’s Salesforce tenant before exfiltrating the support case data on August 17.
Cloudflare was officially notified of the vulnerability by Salesforce and Salesloft on August 23, at which point it launched a full-scale security incident response.
The company’s remediation efforts included immediately disabling the compromised Drift integration, rotating credentials for all third-party services connected to Salesforce, and analyzing the stolen data to identify customer impact.
In a statement, Cloudflare took responsibility for the incident, saying, “We are responsible for the choice of tools we use in support of our business. This breach has let our customers down.
For that, we sincerely apologize.” The company is urging all customers to rotate any credentials they may have shared through the support channel as a matter of urgency. The incident underscores the growing risks associated with third-party integrations in the SaaS ecosystem.
Confirmed victims of this supply chain attack include:
- Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
- Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
- Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
