Cloudflare has disclosed a significant data breach affecting customer information following a sophisticated supply chain attack targeting its Salesforce integration with Salesloft Drift.
The incident, which occurred between August 12-17, 2025, resulted in the exposure of customer support case data and potentially sensitive credentials shared through support channels.
The Breach Details
The cybersecurity company became aware of suspicious activity within its Salesforce tenant last week after being notified by Salesforce and Salesloft about a broader security incident.
The attack was orchestrated by an advanced threat actor designated as GRUB1, who exploited compromised OAuth credentials from the Salesloft Drift chatbot integration to access Cloudflare’s customer support system.
The compromised data includes customer contact information, support case subject lines, and the full body of customer correspondence with Cloudflare support.
While no file attachments were accessed, the breach potentially exposed any sensitive information customers may have shared in support tickets, including API tokens, passwords, logs, and configuration details.
“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system should be considered compromised,” the company stated in its incident disclosure.
This was not an isolated attack against Cloudflare alone. The GRUB1 threat actor targeted hundreds of organizations globally through the same Salesloft Drift vulnerability, making it one of the most significant supply chain attacks of 2025.
Google’s Threat Intelligence Group has also published research aligning with Cloudflare’s findings about this sophisticated campaign.
During its investigation, Cloudflare discovered 104 of its own API tokens within the compromised data. While no suspicious activity was detected related to these tokens, all were immediately rotated as a precautionary measure.
The company emphasized that none of its core services or infrastructure were compromised in the breach.
Attack Timeline
The threat actor’s campaign against Cloudflare began with reconnaissance on August 9, when GRUB1 attempted to validate a potentially stolen Cloudflare API token.
The actual breach commenced on August 12 at 22:14 UTC, when the attacker gained access using stolen Salesloft integration credentials from IP address 44.215.108.109.
Over the following days, GRUB1 conducted extensive reconnaissance of Cloudflare’s Salesforce environment, mapping data structures and understanding the support system’s operations.
The final data exfiltration occurred on August 17, when the attacker switched to new infrastructure (IP 208.68.36.90) and used Salesforce’s Bulk API 2.0 to extract the support case data in just over three minutes.
Notably, the attacker attempted to cover their tracks by deleting the API job, but Cloudflare’s security team was able to reconstruct the full attack timeline from residual logs.
Cloudflare’s response was comprehensive once notified of the incident on August 23. The company immediately activated a cross-functional security incident response team and established four priority workstreams: immediate threat containment, securing third-party integrations, safeguarding broader systems, and customer impact analysis.
Cloudflare has taken responsibility for the breach, with company leadership acknowledging that “we are responsible for the choice of tools we use in support of our business. This breach has let our customers down. For that, we sincerely apologize.”
Recommendations for Organizations
Security experts recommend that all organizations using similar third-party integrations take immediate action:
- Disconnect all Salesloft connections from Salesforce environments
- Rotate credentials for all third-party applications and integrations
- Implement regular credential rotation schedules
- Review support case data for potentially exposed sensitive information
- Enforce least privilege access for all third-party connections
- Deploy enhanced monitoring for unusual data export activities
The incident serves as a reminder that in today’s interconnected business environment, organizations are only as secure as their weakest third-party integration.
As Cloudflare noted, “we need to approach each new tool with careful scrutiny” given the potential for cascading security impacts across entire customer bases.
Cloudflare has committed to sharing detailed threat intelligence about GRUB1’s attack methods with the broader security community to help defend against similar campaigns in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
