Full Report
Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week. [...]
Analysis Summary
# Incident Report: Cloudflare Salesloft/Drift Supply Chain Data Breach
## Executive Summary
Cloudflare suffered a data breach stemming from a supply-chain attack targeting their customer support platform, Salesloft Drift, which is built on Salesforce. Attackers accessed a Salesforce instance used for internal customer case management, exfiltrating text-based support case data containing 104 Cloudflare API tokens and sensitive customer configuration details. Cloudflare rotated the compromised tokens immediately upon discovery, despite finding no evidence of their misuse, and urged all customers who shared credentials through support tickets to rotate them.
## Incident Details
- Discovery Date: August 23, 2025 (Date Cloudflare was notified)
- Incident Date: August 9, 2025 (Start of initial reconnaissance) to August 17, 2025 (End of data exfiltration)
- Affected Organization: Cloudflare
- Sector: Internet Technology / Content Delivery Network (CDN)
- Geography: Undisclosed (Global customer base affected via support platform)
## Timeline of Events
### Initial Access
- Date/Time: August 9, 2025 (Reconnaissance began)
- Vector: Supply Chain Compromise—Attackers targeted the Salesloft Drift platform used by Cloudflare for customer support. The broader attack is linked to ShinyHunters using vishing to gain OAuth access to Salesforce instances across multiple organizations.
- Details: Threat actors initiated reconnaissance aimed at harvesting credentials and customer information for future attacks.
### Lateral Movement
- Details: Not explicitly detailed, but the access was achieved through the Salesloft Drift/Salesforce environment, rather than traditional network lateral movement within Cloudflare's internal infrastructure.
### Data Exfiltration/Impact
- Date/Time: August 12 to August 17, 2025
- Details: Threat actors stole the text content within Salesforce case objects, including customer support tickets, subject lines, customer contact information, and potentially sensitive data shared by customers (logs, tokens, passwords). **104 Cloudflare platform-issued API tokens** were confirmed exfiltrated. No attachments were stolen.
### Detection & Response
- Date/Time: August 23, 2025 (Discovery) / September 2, 2025 (Customer notification)
- Details: Cloudflare was notified of the breach (presumably by the vendor or a related organization). Before public disclosure, Cloudflare rotated all 104 exfiltrated API tokens. They then alerted impacted customers.
## Attack Methodology
- Initial Access: Supply Chain compromise via exploitation of the Salesloft Drift/Salesforce environment, likely involving compromised OAuth authorizations obtained through social engineering (vishing).
- Persistence: Not detailed, but implied persistence within the targeted Salesforce environment.
- Privilege Escalation: Not detailed, but necessary to access support case objects.
- Defense Evasion: Attackers operated within the scope of a legitimate, third-party customer support system (Salesforce).
- Credential Access: Attempting to harvest credentials, keys, and secrets shared by customers within support tickets.
- Discovery: Initial reconnaissance phase between August 9th and August 12th. Attackers used keywords such as "secret," "password," or "key" when searching within support data (inferred from impact on similar organizations like Palo Alto Networks).
- Lateral Movement: Within the scope of the compromised Salesforce entity.
- Collection: Targeting text content within Salesforce case objects.
- Exfiltration: Text data, including 104 Cloudflare API tokens.
- Impact: Compromise of customer support data and sensitive shared credentials/tokens.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: 104 Cloudflare API tokens, customer contact information (domain, email, phone), and contents of support interactions (including configuration details, logs, secrets, or passwords if shared by the customer).
- Operational: Negligible documented impact on core Cloudflare products or services.
- Reputational: Negative external publicity resulting from the disclosure of a third-party supply chain breach.
## Indicators of Compromise
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Activity focused on searching text fields (`subject`, `body`) within support case objects for keywords indicating secrets.
## Response Actions
- **Containment measures:** Rotation of all 104 compromised Cloudflare platform-issued API tokens immediately upon learning of the incident.
- **Eradication steps:** Assumed to involve coordinating with Salesloft/Salesforce partners and hardening access controls to the support platform (though not explicitly detailed).
- **Recovery actions:** Strong urging for all customers who submitted secrets or tokens via support tickets to rotate those credentials immediately.
## Lessons Learned
- Supply chain risk associated with third-party SaaS customer support platforms (Salesloft Drift/Salesforce) represents a significant vector for credential theft.
- Reliance on customer inputting secrets into support interaction channels poses an inherent risk if those channels are breached.
- The exfiltrated tokens showed no suspicious activity, highlighting the importance of proactive credential rotation as a primary defense against supply-chain exfiltration.
## Recommendations
- **For Cloudflare:** Strictly limit the types of data customers can input into support ticketing systems; mandate automated credential masking or blocklist specific sensitive input fields within the support interface.
- **For Customers:** Immediately rotate any API tokens, secrets, passwords, or access keys that were ever shared or mentioned within Cloudflare support requests handled via the Salesloft Drift platform.
- **General Security:** Organizations participating in broad vendor ecosystems must continually reassess the security posture of all utilized third-party services, especially those handling privileged interactions.