Cloudflare Confirms Data Breach, Hackers Stole Customer Data from Salesforce Instances

Cybersecurity

Cloudflare has confirmed a data breach involving unauthorized access to its Salesforce instance, resulting in the exfiltration of customer data. The breach was part of a larger supply chain attack exploiting a vulnerability in the Salesloft Drift chatbot integration, impacting numerous organizations globally.

Breach Details

According to Cloudflare, the threat actor, identified as GRUB1, accessed the Salesforce environment without authorization between August 12 and August 17, 2025. Salesforce is utilized by Cloudflare for customer support and internal case management, and the data compromised includes customer contact information, case subject lines, and correspondence body text.

Cloudflare clarified that sensitive information such as credentials, API keys, logs, or passwords that may have been pasted into support tickets should be considered compromised. However, no attachments or core infrastructure were accessed during this incident.

Response and Mitigation

In response to the breach, Cloudflare conducted a thorough review of the stolen data and identified 104 of its own API tokens, which have been rotated as a precaution. Affected customers were notified by September 2, 2025. The company disabled the compromised Drift integration, rotated credentials for all associated third-party services, and analyzed the stolen data to assess customer impact.

The breach was reported to Cloudflare by Salesforce and Salesloft on August 23, prompting a full-scale security incident response.

Impact on Other Organizations

Other organizations confirmed as victims of this supply chain attack include:

• Palo Alto Networks: Exposed business contact information and internal sales data from its CRM platform.
• Zscaler: Accessed customer information, including names, contact details, and some support case content.
• Google: A “very small number” of Workspace accounts were accessed via compromised tokens.