Cloudflare confirms that it has been affected by the Salesloft Drift data breach, which has impacted hundreds of organizations worldwide. The incident allowed an external party to access Cloudflare’s Salesforce environment, which is used for customer support and internal case management.
During the incident, the attackers collected text fields from support cases. In some cases, these contained sensitive information. According to Cloudflare, this mainly concerns customer contact details and basic information about support cases. However, certain communications may contain more data, such as configuration details, access tokens, or other confidential information that customers have shared with the help desk.
Cloudflare emphasizes that all data shared through this channel should be considered compromised. Cloudflare has therefore urged customers to change their login details if they were ever sent via support tickets.
104 API tokens stolen
Cloudflare’s own analysis revealed that 104 customer API tokens had been stolen. Although there is no evidence that these tokens have been misused, they have all been replaced as a precaution. Customers directly affected by this breach have been personally informed. According to the company, Cloudflare’s own services and infrastructure have not been compromised.
The attack was made possible because the attackers gained access to OAuth credentials linked to the integration of the Salesloft Drift chatbot with Salesforce. With these credentials, they were able to exfiltrate data from Salesforce instances of multiple Salesloft customers, including Cloudflare.
Research by Cloudforce One, Cloudflare’s own threat intelligence team, indicates that this was an advanced supply chain attack targeting third-party integrations. The attackers, classified by Cloudflare as GRUB1, are believed to have gained access between August 12 and 17, 2025, following an earlier reconnaissance on August 9.
No attachments from support cases were stolen
No attachments from the support cases were stolen. However, the exfiltrated objects did contain customer information, subject lines, and the content of ticket correspondence. Cloudflare states that it does not ask customers to share passwords or other secrets via support. However, in practice, customers sometimes paste such data into text fields when resolving issues.
Salesforce and Salesloft informed Cloudflare on August 23. The affected company launched a large-scale internal response, with teams from various disciplines working together. The affected integrations were shut down, all secrets were replaced, and additional precautions were taken to secure broader systems and accounts. On September 2, Cloudflare’s customers were informed about the incident, with external communication following more than a week after the initial report.
Cloudflare states that the incident is part of a broader campaign in which attackers collect customer data to carry out future attacks. The company warns that other organizations affected by this leak should be aware of targeted attacks on their customer base.