Cloudflare Confirms Data Leak via Third-Party Tool

Cloudflare has disclosed a data breach resulting from a supply chain attack that exploited a vulnerability in a third-party chatbot integration—highlighting growing security concerns around SaaS platforms and connected services.

Between August 12 and August 17, 2025, a sophisticated threat actor—identified by Cloudflare’s intelligence team as GRUB1—gained unauthorized access to the company’s Salesforce environment. The breach was traced back to the Salesloft Drift chatbot integration, a tool used widely in enterprise customer engagement workflows.

The attack was part of a broader supply chain compromise affecting multiple global organizations that relied on the same integration.

Cloudflare confirmed that the attacker accessed Salesforce support cases, which contain customer contact information, subject lines, and the text body of the support communications. While attachments were not accessed, and no core infrastructure or services were breached, the text fields may have contained sensitive customer data inadvertently pasted into them—such as API keys, credentials, or log snippets.

Cloudflare stated that customers should assume any such shared information is now compromised and are advised to rotate credentials immediately.

Cloudflare's Internal Exposure

Among the exposed data, Cloudflare found 104 of its own API tokens. Although no misuse was detected, the company rotated all affected tokens as a precaution.

Timeline of the Attack

·       August 9: Reconnaissance activity begins.

·       August 12: GRUB1 successfully breaches Cloudflare’s Salesforce instance.

·       August 17: Data exfiltration takes place.

·       August 23: Cloudflare is notified by Salesforce and Salesloft.

·       September 2: Affected customers are directly notified.

Remediation and Response

Cloudflare launched a full-scale incident response, including:

·       Disabling the compromised Drift integration

·       Rotating credentials for all third-party services connected to Salesforce

·       Auditing exfiltrated data to assess customer impact

·       Notifying all affected users individually

In a statement, Cloudflare accepted responsibility:“We are responsible for the choice of tools we use in support of our business. This breach has let our customers down. For that, we sincerely apologize.”

This breach underscores a critical vulnerability in the modern SaaS stack—the security risks introduced by third-party integrations. While Salesforce itself was not directly compromised, a connected component (Drift) became the attack vector. This highlights how:

·       Trust in the SaaS ecosystem is only as strong as its weakest integration.

·       Third-party tools—especially customer-facing ones—require continuous monitoring.

·       Shadow data (like credentials shared informally in support cases) can turn seemingly harmless incidents into significant security events.

What This Means for Enterprises

1.   Third-party integrations must be treated as potential attack surfaces.

2.   Data hygiene practices should discourage sharing sensitive information in support channels.

3.   Proactive credential rotation and incident response plans must be in place.

As SaaS adoption accelerates and integrations multiply, supply chain compromises like this will become more common. Enterprises must balance usability with strict access control, vendor vetting, and data minimization practices.

Confirmed Victims of the Supply Chain Attack

Several high-profile companies have confirmed they were impacted by the broader supply chain attack stemming from the compromised chatbot integration:

·       Palo Alto Networks acknowledged that business contact information and internal sales data stored in its CRM platform were exposed during the breach.

·       Zscaler reported that the attackers accessed customer information, including names, contact details, and portions of support case content.

·       Google, which is also involved in investigating the breach, confirmed that a "very small number" of its Workspace accounts were accessed via the compromised authentication tokens.