The recent Cloudflare data breach highlights the growing risks of supply-chain attacks targeting SaaS integrations. Hackers exploited Salesloft’s Drift connection with Salesforce, giving them unauthorized access to Cloudflare’s internal support system. While the company confirmed no core infrastructure was compromised, attackers exfiltrated sensitive support case data and API tokens.
How the Breach Unfolded
Attackers began reconnaissance on August 9, 2025, before launching full exfiltration between August 12 and 17.
The breach originated from the compromise of Salesloft Drift OAuth tokens, which granted unauthorized access to Cloudflare’s Salesforce instance.
Key Exposures
- Support case data: Included customer contact details, logs, and configuration information.
- API tokens: 104 tokens were identified and rotated immediately.
- Embedded credentials: Some support cases contained access details that could be abused.
Cloudflare’s investigation revealed no malicious use of the stolen tokens after rotation, but the potential exposure raised concerns.
Attribution and Broader Impact
Cloudflare attributed the breach to the threat actor group GRUB1, aligning with Google’s analysis of the broader campaign. This attack was part of a wider supply-chain incident targeting organizations using Salesloft Drift with Salesforce and Google Workspace.
Other Affected Organizations
- Zscaler – customer case data exposed
- Palo Alto Networks – Salesforce support systems affected
- Google Workspace accounts – limited exposure via Drift email integration
These incidents reveal how one compromised integration can cascade across multiple enterprises.
Cloudflare’s Response
Cloudflare acted quickly to contain the incident:
- Rotated all stolen tokens.
- Audited support case content for additional credentials.
- Notified impacted customers.
- Enhanced monitoring for suspicious activity.
The company stressed that its production infrastructure, network edge, and core services were not affected.
Lessons from the Breach
The Cloudflare data breach underscores the importance of supply-chain security in modern SaaS environments. Organizations often rely on dozens of third-party integrations, but each connection introduces risk.
Key Takeaways
- Audit all third-party app permissions regularly.
- Limit sensitive data stored in support cases.
- Monitor for abnormal API token activity.
- Enforce strong revocation and rotation practices.
Final Thoughts
The Cloudflare data breach demonstrates how attackers exploit trusted SaaS integrations to access sensitive enterprise data. Although Cloudflare quickly mitigated the exposure, the incident shows that even leading security providers remain vulnerable to supply-chain threats. Companies must reevaluate integration risks, reduce unnecessary connections, and adopt stricter token security measures to prevent similar incidents.
