Cloudflare has confirmed it was impacted by the recent Salesloft Drift supply chain attack, which enabled a threat actor to exfiltrate customer support case data from its Salesforce instance.
While core infrastructure and services remain unaffected, the breach potentially exposed sensitive customer information, including API tokens and credentials shared during support interactions.
Cloudflare is a major US-based cloud services and cybersecurity firm, known for its global edge network and services including DDoS protection, Zero Trust security tools, CDN acceleration, and DNS resolution (notably via 1.1.1.1). It supports a wide range of customers from small startups to Fortune 500 enterprises. The company leverages Salesforce as a central system for handling customer support requests, sales communications, and internal collaboration around client issues.
The breach stems from a larger campaign we previously reported, in which a threat actor, tracked by Cloudflare as GRUB1 and by Google as UNC6395, abused OAuth tokens obtained from compromised Drift integrations. Drift, a conversational marketing chatbot platform owned by Salesloft, was connected to many corporate Salesforce environments, including Cloudflare’s. Through this vector, attackers infiltrated Salesforce tenants belonging to hundreds of companies globally between August 8–18, 2025, and systematically extracted support-related data using Salesforce's Bulk API.
Cloudflare disclosed via a detailed write-up that it was notified of the breach on August 23 by Salesforce and Salesloft. Upon receiving the alert, Cloudflare initiated a company-wide security incident response, disabling the compromised integration, rotating credentials, conducting forensics, and notifying affected customers. According to their investigation, the actor accessed Salesforce support “case” objects, structured records used to track customer issues and internal commentary.
The attacker gained access using OAuth credentials tied to the Drift-Salesforce integration. After a brief reconnaissance phase beginning August 9, they exfiltrated support ticket data, including subject lines, case body text, and customer contact information, between August 12–17. The attack was carefully staged over several days, with detailed API reconnaissance using tools like Trufflehog, custom Python scripts, and the Salesforce CLI, indicating a high degree of sophistication. The final data exfiltration was performed via Salesforce Bulk API 2.0, followed by deletion of the job to hide evidence, though residual logs allowed Cloudflare to reconstruct the incident.
While Cloudflare has stated that only freeform text data within the Salesforce cases was exposed, not file attachments or infrastructure systems, the nature of that text raises concern. Support cases often contain sensitive customer-submitted materials such as API tokens, configuration logs, and even passwords. In its internal scan, Cloudflare discovered 104 active API tokens and promptly rotated them. No misuse of those tokens has been detected so far.
Cloudflare confirmed that all affected customers were directly notified via email and dashboard banners on September 2.
This campaign aligns with previous coverage of UNC6395’s activities, where they targeted high-profile Salesforce users through Drift OAuth abuse. Victims in earlier waves included Google, Chanel, Cisco, and Allianz.
Organizations using Salesforce, particularly those integrated with Drift or similar chat tools, should take immediate steps to mitigate exposure:
- Disconnect Salesloft and Drift integrations from Salesforce immediately.
- Rotate all third-party credentials, especially those previously shared in support cases.
- Review support ticket content for sensitive data and assess what may have been exposed.
- Implement strict OAuth and connected app policies, enforcing IP allowlists and least-privilege scopes.
- Enhance monitoring, especially for unusual API behavior or mass exports from Salesforce.
- Conduct forensic reviews to check for signs of compromise related to the IOC Cloudflare shared at the bottom of its report.
Leave a Reply