Cloudflare exposes data in Salesforce after Salesloft Drift attack: What happened and how to respond

Cloud
Share on Pinterest Share on LinkedIn

On September 2, 2025, Cloudflare confirmed that it was an incidental victim of a sophisticated attack against Salesloft Drift, a chat platform used by dozens of major companies and directly linked with Salesforce. The breach allowed an actor, identified as GRUB1, to access sensitive information stored in Cloudflare’s customer support cases between August 12 and 17.

Although the company states that its core infrastructure and services were not compromised, the incident exposed data included in support tickets: contact information, descriptions of technical issues, and even possible tokens or credentials shared by clients.

A chain attack affecting hundreds of companies

The attack was not exclusive to Cloudflare. As acknowledged by Salesloft itself, the attacker exploited OAuth credentials of the Drift chatbot to infiltrate multiple Salesforce instances. There, they conducted a meticulous reconnaissance of data objects and ultimately launched a massive exfiltration using the Salesforce Bulk API 2.0.

The modus operandi resembles recent campaigns of SaaS supply chain attacks, where a single integration point serves as a springboard to access data across dozens or hundreds of organizations.

What data was compromised

Cloudflare detailed that the attacker only accessed Salesforce “Case” objects, which include:

  • Customer name and contact details who opened the case.
  • Subject line and ticket body (free text).
  • Internal and external communications related to the incident.

Unaffected were:

  • Attachments.
  • Cloudflare’s infrastructure or services.

However, the risk lies in the possibility that clients may have included tokens, passwords, or sensitive logs in the ticket text. In fact, Cloudflare proactively detected and rotated 104 API tokens found in the exfiltrated data.

Cloudflare’s response plan

The company responded with a cross-functional incident response team that included security, legal, product, and communications. The measures implemented were:

  1. Immediate containment
    • Full disconnection of Drift/Salesloft.
    • Revocation of compromised credentials.
    • Purge of suspicious integrations.
  2. Forensic investigation
    • Analysis of Salesforce logs.
    • Reconstruction of queries executed by GRUB1.
    • Sweeping cases for exposed secrets.
  3. Preventive measures
    • Weekly rotation of third-party credentials.
    • New security controls in integrations.
    • Alerts for mass API downloads.
  4. Communication and transparency
    • Notification to all affected customers.
    • Clear mitigation recommendations.
    • Publishing a technical blog with IOAs.

📌 Salesforce–Drift Incident Response Plan

For organizations using Salesforce or other SaaS platforms, experts recommend a structured plan in phases:

⏱ 0–24 hours: Immediate containment

  • Disconnect affected integrations (Salesloft/Drift).
  • Rotate critical credentials (tokens, API keys, OAuth).
  • Block inherited users associated with integrations.
  • Capture Salesforce logs (LoginHistory, API Usage).

⏱ 24–72 hours: Investigation and mitigation

  • Review Bulk API Jobs executed during the affected dates.
  • Scan cases with regex for possible exposed secrets.
  • Correlate suspicious accesses in SIEM and WAF.
  • Classify exposure and prioritize rotation of sensitive credentials.

⏱ 7 days: Strengthening

  • Implement periodic secret rotation.
  • Deploy DLP policies in Salesforce to prevent sharing secrets in text.
  • Audit OAuth apps with a least privilege approach.
  • Continuously monitor for anomalies (mass exports, unusual logins).
  • Conduct SaaS breach simulation exercises.

A lesson on SaaS ecosystem risks

The incident highlights how third-party integrations have become one of the most vulnerable links in corporate security. Every chatbot, plugin, or extension connected to a critical platform like Salesforce can open the door to advanced attackers.

For Cloudflare, the impact was limited to support cases, but the scale of the attack globally suggests that GRUB1 seeks reusable credentials to prepare future strikes against clients across multiple sectors.

Frequently Asked Questions (FAQ)

What should I do if I am a Cloudflare customer?
Visit the support portal and review what data you shared in your cases. Immediately rotate any tokens, API keys, or credentials you included in those tickets.

What kind of information was leaked?
Primarily contact data and support ticket content (free text). Attachments were not compromised.

Were Cloudflare’s services compromised?
No. Cloudflare’s core infrastructure and services were unaffected. The attack was limited to the “Case” objects within Salesforce.

What security measures should my company implement?

  • Review SaaS integrations and apply the principle of least privilege.
  • Implement automatic credential rotation.
  • Monitor mass data downloads on critical platforms.
  • Prohibit including secrets in support tickets.
Share on Pinterest Share on LinkedIn
Scroll to Top