Salesforce Side Door: Hackers hit Cloudflare via Drift–Salesloft link, customer data exposed

Cloudflare has confirmed that hackers managed to break into its Salesforce system and steal customer data. The company explained that this attack was part of a much larger supply chain hack that targeted hundreds of organizations worldwide.

How the Hackers Got In

The attack began when criminals found a weakness in a chatbot tool called Drift, which connects with Salesforce through another platform called Salesloft. This gave the hackers a way into Cloudflare’s Salesforce system.

Investigators found that the group behind the attack, which Cloudflare’s team named GRUB1, carried out reconnaissance starting on August 9, 2025. By August 12, they had broken into the system. Between August 12 and August 17, they explored Cloudflare’s Salesforce environment and copied data stored in support cases.

Cloudflare was officially warned about the vulnerability on August 23 by Salesforce and Salesloft. At that point, the company launched a full-scale investigation and response effort.

What Data Was Stolen

The hackers were able to reach customer support “cases” inside Salesforce. These cases usually contain customer contact details, subject lines, and the text of emails or conversations with support teams.

While Cloudflare does not normally ask customers to share private information in these tickets, the company admitted that some users may have copied sensitive data, such as passwords, API keys, or logs, into the text fields. Cloudflare warned that any such information should now be treated as compromised.

How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?

Importantly, the hackers did not get access to attachments within the support cases. They also did not breach any of Cloudflare’s core systems or infrastructure. This means the company’s main services continued to run safely.

Cloudflare reviewed the stolen data and discovered that hackers had exposed 104 of its own API tokens. Although investigators found no sign of misuse, the company immediately rotated all tokens as a safety step. The company confirmed that every affected customer was directly notified on September 2, 2025.

Cloudflare and Other Victims Respond

As soon as Cloudflare discovered the breach, it took several emergency steps. The company shut down the compromised Drift integration, reset all credentials linked to third-party services, and carefully checked the stolen data to assess customer impact.

Cloudflare accepted responsibility for the incident, saying that it had failed customers by not securing its support system strongly enough. The company offered an apology and urged anyone who had ever shared credentials in support cases to change them immediately.

Jaguar Land Rover confirms cyber incident disrupted production and sales while systems restored

Other large companies also faced impact from the same supply chain attack, not just Cloudflare. A major cybersecurity provider confirmed hackers stole internal sales data and contact details from its CRM system.

Another cloud security company said hackers accessed customer names, contact information, and some support case details. A global tech giant also reported hackers accessed a small number of its Workspace accounts using stolen tokens.

The attack highlights how a single weak point in a third-party tool can impact many global companies at once. Cloudflare’s disclosure shows just how far the hackers managed to reach by exploiting one integration in the SaaS ecosystem.

Renuka Bangale
Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

Jenna Ortega’s “Wednesday” returns—Part 2 delivers darker Nevermore drama

The world of “Wednesday” is back in the spotlight....

Newsom vs. Fox: Governor says Fox used ‘deceptive edit’; $787M suit cited in viral X post

California Governor Gavin Newsom has sparked a heated debate...

Disney pays $10M, adds “made-for-kids” labels on YouTube to safeguard children’s data

Disney has agreed to pay 10 million dollars after...

New Slice, Old Story: Committee says ~97% of 33k Epstein pages were already on record

A government committee confirmed the release of tens of...

Jaguar Land Rover confirms cyber incident disrupted production and sales while systems restored

Jaguar Land Rover (JLR) said a cyber incident has...

Gavin Newsom leads Democrats in 2028 nomination poll as Harris support declines

A new Gallup poll has revealed a major shift...

Hacker group demands Google terminate two staff members to prevent records release

Google is facing a rare and alarming ultimatum from...

Salesforce issues forensic guide to improve log analysis and real-time monitoring

Salesforce has released a new forensic investigation guide designed...

Spanish police arrest suspect accused of hacking exam system to change grades

Spanish police have arrested a 21-year-old man suspected of...

Related Articles

Popular Categories

error: Content is protected !!