Cloudflare Confirms Data Breach – Customer Data Exposed via Salesforce Attack

Cybersecurity

Cloudflare has reported a significant data breach resulting from a supply chain attack on its Salesforce integration with Salesloft Drift. The breach occurred between August 12 and 17, 2025, exposing customer support case data and potentially sensitive credentials.

The Breach Details

The breach was identified after Salesforce and Salesloft notified Cloudflare of a broader security incident. The attack was executed by a threat actor named GRUB1, who used compromised OAuth credentials from the Salesloft Drift chatbot integration to access Cloudflare’s customer support system.

Compromised data includes customer contact information, support case subject lines, and the full body of customer correspondence. Although no file attachments were accessed, sensitive information such as API tokens, passwords, logs, and configuration details shared in support tickets may have been exposed.

Cloudflare’s investigation revealed 104 of its own API tokens within the compromised data. No suspicious activity involving these tokens was detected, but they were immediately rotated as a precaution. Core services or infrastructure were not compromised in the breach.

Attack Timeline

The campaign against Cloudflare began with reconnaissance on August 9, with GRUB1 attempting to validate a potentially stolen Cloudflare API token. The breach started on August 12 at 22:14 UTC, when the attacker accessed the system using stolen Salesloft integration credentials. The attacker conducted reconnaissance of Cloudflare’s Salesforce environment, culminating in data exfiltration on August 17 using Salesforce’s Bulk API 2.0.

Cloudflare responded comprehensively upon notification of the incident on August 23, activating a cross-functional security incident response team and establishing workstreams for threat containment, securing third-party integrations, safeguarding broader systems, and customer impact analysis.

Recommendations for Organizations

Security experts advise organizations using similar third-party integrations to:

• Disconnect all Salesloft connections from Salesforce environments
• Rotate credentials for all third-party applications and integrations
• Implement regular credential rotation schedules
• Review support case data for potentially exposed sensitive information
• Enforce least privilege access for all third-party connections
• Deploy enhanced monitoring for unusual data export activities

The incident highlights the critical need for scrutinizing new tools due to potential cascading security impacts across customer bases. Cloudflare is committed to sharing threat intelligence about GRUB1’s attack methods with the broader security community.