Cloudflare confirms data breach linked to Salesloft Drift supply chain compromise

Cloudflare has also been affected by the Salesloft Drift breach, the US web infrastructure and security company confirmed on Tuesday, and the attackers got their hands on 104 Cloudflare API tokens.

“We have identified no suspicious activity associated with those tokens, but all of these have been rotated in an abundance of caution,” Sourov Zaman (Head of Security Response), Craig Strubhart (Senior Director of Threat Detection and Response), and Grant Bourzikas (Chief Information Security Officer) stated.

“All customers whose data was compromised in this breach have been informed directly by Cloudflare [via email and banner notices in the company’s Dashboard].”

Reconnaissance and data theft

Several cybersecurity companies – namely: Zscaler, Palo Alto Networks, SpyCloud and Tanium – already acknowledged that the threat actors who breached Salesloft managed to access their Salesforce instances and exfiltrate customer-related data.

While the attackers managed to grab names, email addresses, job titles, and location references, they were apparently more interested in data that could be used to compromise victim environments: AWS access keys, passwords, Snowflake access credentials, VPN keys, etc.

“Cloudflare uses Salesforce to keep track of who our customers are and how they use our services, and we use it as a support tool to interact with our customers,” Zaman, Strubhart and Bourzikas explained in a report on their post-breach investigation.

“Our investigation showed the threat actor compromised and exfiltrated data from our Salesforce tenant between August 12-17, 2025, following initial reconnaissance observed on August 9, 2025. A detailed analysis confirmed the exposure was limited to Salesforce case objects, which primarily consist of customer support tickets and their associated data within our Salesforce tenant.”

The case objects contain customer contact information and the messages they exchanged with Cloudflare support (but not the related attachments).

“In some troubleshooting scenarios, customers may paste keys, logs, or other sensitive information into the case text fields. Anything shared through this channel should now be considered compromised,” the company’s security leadership team advised.

As the other affected organizations, Cloudflare believes that the stolen information will be used by the attackers to launch additional targeted attacks.

The company also said the intruders used their Salesforce access to study how its customer support system works and to learn the exact API limits they had to stay under to avoid detection. This knowledge can help them in future attacks against Cloudflare and their customers.

Cloudflare has detailed the proactive measures taken to respond to the compromise and prevent future ones, shared indicators of compromise, and security advice for all organizations using SaaS applications and third-party integrations.

They confirmed that none of the Cloudflare’s services or infrastructure were compromised as a result of this breach.

Additional victims come forward

In a report on its own breach, Palo Alto Networks said attackers who compromised its Salesloft Drift OAuth token carried out reconnaissance, data exfiltration, and track-covering activities similar to those seen at Cloudflare.

The list of security companies that have confirmed being affected by the Salesloft Drift breach also includes Proofpoint and Rubrik.

UPDATE (September 4, 2025, 05:40 a.m. ET):

Tenable has also been affected.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!