Cloudflare has confirmed an information breach the place a complicated menace actor accessed and stole buyer knowledge from the corporate’s Salesforce occasion.
The breach was a part of a wider provide chain assault that exploited a vulnerability within the Salesloft Drift chatbot integration, affecting a whole lot of organizations globally.
In an in depth disclosure, Cloudflare defined that the menace actor, which its intelligence group has named GRUB1, gained unauthorized entry to its Salesforce setting between August 12 and August 17, 2025.
The corporate makes use of Salesforce for buyer assist and inside case administration. The hackers efficiently exfiltrated knowledge from Salesforce “instances,” that are primarily buyer assist tickets.
The compromised info was restricted to the textual content fields inside these assist instances. This knowledge consists of buyer contact info, case topic strains, and the physique of the correspondence.
Cloudflare emphasised that whereas they don’t request prospects to share delicate info in assist tickets, any credentials, API keys, logs, or passwords that prospects could have pasted into the textual content fields ought to now be thought-about compromised.
No attachments to the instances have been accessed, and no Cloudflare providers or core infrastructure have been breached because of this incident.
As a part of its response, Cloudflare performed a search by way of the stolen knowledge and found 104 of its personal API tokens. Whereas no suspicious exercise was related to them, these tokens have been rotated as a precaution. All prospects whose knowledge was compromised have been immediately notified by Cloudflare as of September 2, 2025.
The investigation revealed that the assault started with reconnaissance on August 9, with the preliminary compromise occurring on August 12. The menace actor used the stolen credentials from the Salesloft Drift integration to entry and systematically discover Cloudflare’s Salesforce tenant earlier than exfiltrating the assist case knowledge on August 17.
Cloudflare was formally notified of the vulnerability by Salesforce and Salesloft on August 23, at which level it launched a full-scale safety incident response.
The corporate’s remediation efforts included instantly disabling the compromised Drift integration, rotating credentials for all third-party providers related to Salesforce, and analyzing the stolen knowledge to determine buyer influence.
In a press release, Cloudflare took accountability for the incident, saying, “We’re accountable for the selection of instruments we use in assist of our enterprise. This breach has let our prospects down.
For that, we sincerely apologize.” The corporate is urging all prospects to rotate any credentials they could have shared by way of the assist channel as a matter of urgency. The incident underscores the rising dangers related to third-party integrations within the SaaS ecosystem.
Confirmed victims of this provide chain assault embrace:
Palo Alto Networks: The cybersecurity agency confirmed the publicity of enterprise contact info and inside gross sales knowledge from its CRM platform.
Zscaler: The cloud safety firm reported that buyer info, together with names, contact particulars, and a few assist case content material, was accessed.
Google: Along with being an investigator, Google confirmed a “very small quantity” of its Workspace accounts have been accessed by way of the compromised tokens.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
