
Cloudflare has confirmed a data breach after a sophisticated threat actor accessed customer data stored in its Salesforce platform.
The breach was part of a wider supply chain attack exploiting a vulnerability in the Salesloft Drift chatbot integration, which affected hundreds of organizations worldwide.
The attacker, tracked by Cloudflare’s intelligence team as GRUB1, gained unauthorized access between August 12 and August 17, 2025.
During this period, data from Salesforce support cases—including customer contact details, subject lines, and message content—was exfiltrated. Attachments, core services, and infrastructure remained unaffected.
Cloudflare warned that any credentials, API keys, logs, or passwords pasted into these text fields should be considered compromised. The company uses Salesforce for customer support and internal case management.
Following the breach, Cloudflare identified 104 of its own API tokens within the stolen data and rotated them as a precaution. Affected customers were notified directly by September 2, 2025.
Investigators found the attack began with reconnaissance on August 9. The threat actor leveraged stolen credentials from the compromised Drift integration to infiltrate Cloudflare’s Salesforce tenant and extract data.
Cloudflare has disabled the vulnerable integration, rotated all connected third-party credentials, and launched a full security review.
Other confirmed victims include Palo Alto Networks, Zscaler, and Google, each reporting exposure of customer or business information.
Cloudflare apologized, saying, “We are responsible for the tools we choose to support our business. This breach has let our customers down.”