This summary is created by Generative AI and may differ from the actual content.
Overview
Cloudflare's Salesforce instance was breached due to a sophisticated supply chain attack targeting the Salesloft Drift chatbot integration. A threat actor, GRUB1, gained unauthorized access to customer support case data, including contact information and potentially sensitive information (like API tokens or credentials if shared by customers in freeform text fields). The compromise involved reconnaissance from August 9, 2025, and data exfiltration between August 12-17, 2025. Cloudflare was notified on August 23, 2025, and responded by containing the threat, securing third-party integrations, safeguarding wider systems, and analyzing customer impact. No Cloudflare services or infrastructure were compromised.Impact
Customer contact information and basic support case data from Cloudflare's Salesforce instance were compromised. This included the subject line, body of case correspondence (which could contain sensitive information like API tokens, keys, or logs if provided by customers), and customer contact details. Cloudflare identified 104 Cloudflare API tokens within the exfiltrated data, which were all rotated as a precaution, though no suspicious activity was associated with them. All customers whose data was compromised were directly informed. No Cloudflare services or infrastructure were affected.Trigger
The incident was triggered by a sophisticated supply chain attack, classified as GRUB1, targeting business-to-business third-party integrations. Specifically, a threat actor breached Salesloft's systems and obtained OAuth credentials associated with the Salesloft Drift chat agent's Salesforce integration. These stolen credentials were then used to gain access to and exfiltrate data from Cloudflare's Salesforce instance.Detection
Cloudflare became aware of the incident on August 23, 2025, when they were notified by Salesforce and Salesloft about unusual Drift-related activity and that the Drift integration had been abused across multiple organizations, including Cloudflare. Prior to this notification, Salesloft had already revoked Drift-to-Salesforce connections across its customer base on August 20, 2025, but Cloudflare had no indication at that time that this action related to their environment.Resolution
Cloudflare's response involved activating a company-wide Security Incident Response. Key steps included: immediately disabling the compromised Drift integration, revoking its client ID and secrets, and purging all Salesloft software and browser extensions; disconnecting all third-party integrations from Salesforce, issuing new secrets, and implementing weekly rotation; expanding credential rotation to all third-party Internet services and accounts as a precautionary measure; analyzing Salesforce case data using custom scanning tools to identify potential exposures; and rotating 104 Cloudflare API tokens found in the exfiltrated data. All impacted customers were formally notified on September 2, 2025.Root Cause
The root cause was a sophisticated supply chain attack (classified as GRUB1) that exploited a vulnerability in the Salesloft Drift chatbot's Salesforce integration. The threat actor obtained OAuth credentials from Salesloft's breached systems, which allowed them to gain unauthorized access to Cloudflare's Salesforce tenant. This incident highlighted the interconnected risks of third-party integrations and the need for careful scrutiny and scoping of access for such tools, as the compromised integration had access to sensitive customer support data within Salesforce case objects.
