Cloudflare has confirmed that hackers managed to break into its Salesforce system and steal customer data. The company explained that this attack was part of a much larger supply chain hack that targeted hundreds of organizations worldwide.
How the Hackers Got In
The attack began when criminals found a weakness in a chatbot tool called Drift, which connects with Salesforce through another platform called Salesloft. This gave the hackers a way into Cloudflare’s Salesforce system.
Investigators found that the group behind the attack, which Cloudflare’s team named GRUB1, carried out reconnaissance starting on August 9, 2025. By August 12, they had broken into the system. Between August 12 and August 17, they explored Cloudflare’s Salesforce environment and copied data stored in support cases.
Cloudflare was officially warned about the vulnerability on August 23 by Salesforce and Salesloft. At that point, the company launched a full-scale investigation and response effort.
What Data Was Stolen
The hackers were able to reach customer support “cases” inside Salesforce. These cases usually contain customer contact details, subject lines, and the text of emails or conversations with support teams.
While Cloudflare does not normally ask customers to share private information in these tickets, the company admitted that some users may have copied sensitive data, such as passwords, API keys, or logs, into the text fields. Cloudflare warned that any such information should now be treated as compromised.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
Importantly, the hackers did not get access to attachments within the support cases. They also did not breach any of Cloudflare’s core systems or infrastructure. This means the company’s main services continued to run safely.
Cloudflare reviewed the stolen data and discovered that hackers had exposed 104 of its own API tokens. Although investigators found no sign of misuse, the company immediately rotated all tokens as a safety step. The company confirmed that every affected customer was directly notified on September 2, 2025.
Cloudflare and Other Victims Respond
As soon as Cloudflare discovered the breach, it took several emergency steps. The company shut down the compromised Drift integration, reset all credentials linked to third-party services, and carefully checked the stolen data to assess customer impact.
Cloudflare accepted responsibility for the incident, saying that it had failed customers by not securing its support system strongly enough. The company offered an apology and urged anyone who had ever shared credentials in support cases to change them immediately.
Jaguar Land Rover confirms cyber incident disrupted production and sales while systems restored
Other large companies also faced impact from the same supply chain attack, not just Cloudflare. A major cybersecurity provider confirmed hackers stole internal sales data and contact details from its CRM system.
Another cloud security company said hackers accessed customer names, contact information, and some support case details. A global tech giant also reported hackers accessed a small number of its Workspace accounts using stolen tokens.
The attack highlights how a single weak point in a third-party tool can impact many global companies at once. Cloudflare’s disclosure shows just how far the hackers managed to reach by exploiting one integration in the SaaS ecosystem.
