Excerpt from Cybersecurity News Article, Published on September 2, 2025
Cloudflare has come forward to confirm a serious data breach that affected sensitive customer support data through its Salesforce integration. The incident was part of a broader supply chain attack, impacting hundreds of organizations after attackers exploited a vulnerability tied to the Salesloft Drift chatbot integration. The threat actor, identified as GRUB1, gained unauthorized access to Cloudflare’s Salesforce environment between August 12 and August 17, 2025.
Cloudflare uses Salesforce as its core platform for handling customer support, managing communications, and organizing internal ticketing. During the breach, the attacker accessed Salesforce “case” objects—records containing support ticket data—which included customer contact details, the subject line of each case, and the body of customer correspondence. Although file attachments and Cloudflare’s core infrastructure were not compromised, the breach highlights ongoing risks associated with cloud and third-party SaaS integrations.
In some cases, customers had shared sensitive information such as API tokens, logs, configuration details, and even passwords via support tickets. Cloudflare responded swiftly, rotating all compromised credentials, specifically the 104 stolen API tokens, and notified impacted customers directly through email and dashboard alerts. The investigation states there has been no evidence of malicious use so far, but Cloudflare warned customers to treat anything submitted via their support channel as compromised and advised rotating credentials immediately.
This supply chain attack demonstrates the complex risks posed by interconnected SaaS platforms. Even proactive security leaders like Cloudflare must respond rapidly to risks presented by third-party integrations. Cloudflare has detailed protective measures and shared actionable guidance for organizations using Salesforce and related integrations to help prevent future incidents.
To delve deeper into this topic, read the Cybersecurity News article.
