Cloudflare confirms a Salesforce-linked data breach via Salesloft Drift, exposing customer support case data but leaving core systems unaffected.
Cloudflare has confirmed that customer support data was exposed in the Salesloft Drift supply chain attack, which abused Salesforce integrations at hundreds of companies. While its core systems and infrastructure were not affected, the breach did expose sensitive case data, highlighting the risks of third-party SaaS connections.
Cloudflare explained that attackers gained access to its Salesforce environment after exploiting stolen OAuth tokens connected to the Salesloft Drift chatbot. The integration, which lets website visitors reach Cloudflare support, was abused by a threat group, which the company has dubbed GRUB1, to steal data.
What Was Accessed
The compromised information contains Salesforce-related data, including “case objects,” which contain support tickets. These records typically have customer contact details, subject lines, and correspondence between Cloudflare and its customers.
According to Cloudflare’s blog post, no attachments were accessed, but the text fields in support cases sometimes included logs, configuration details, and even tokens or credentials shared during troubleshooting.
Cloudflare’s review found 104 valid API tokens in the stolen data. These were rotated immediately, and the company said no suspicious activity was linked to them. Customers with possible exposure were notified directly.
A Bigger Campaign
A detailed forensic timeline shared by Cloudflare shows that attackers spent nearly a week inside its Salesforce environment in August 2025, conducting reconnaissance before exfiltrating case data via the Salesforce Bulk API.
The company noted that this was not an isolated incident. Hundreds of organisations worldwide using Salesforce through Salesloft Drift were affected, and Cloudflare warned that attackers may attempt to use the stolen information for follow-up campaigns, such as credential abuse or targeted phishing.
Earlier today, Palo Alto Networks, Zscaler, and PagerDuty confirmed they were affected by Salesforce-linked data breaches. Last week, credit reporting firm TransUnion also disclosed a Salesforce-related incident that exposed the data of 4.4 million customers.
Google has acknowledged being impacted as well. Other companies caught in the same attack wave include Allianz Life and Farmers Insurance, along with others such as Google, Workday, Pandora, Cisco, Chanel, Qantas, and more.
Cloudflare’s Response
The company moved quickly after learning of the attack by cutting off the compromised integration, purging all Salesloft software and browser extensions, revoking OAuth tokens, and expanding credential rotations across other third-party services.
Cloudflare also scaled up monitoring, set up new credential rotation policies, and began systematically re-onboarding integrations under stricter controls. Cloudflare admitted responsibility for its choice of tools and apologised to customers, stressing that stronger oversight of third-party connections is needed industry-wide.
“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting and their blog not only provides clear technical detail but also openly accepts responsibility for the risks posed by third-party integrations,” said Commenting on Cloudflare’s disclosure, Cory Michal, SaaS security expert and CSO at AppOmni.
“By committing to strengthen their SaaS environments and toolchain security going forward, Cloudflare demonstrated both maturity and leadership in incident response, setting a high bar for how organisations should communicate, remediate, and reinforce trust in the aftermath of supply-chain compromises,” added Cory.
