03.09.2025
2 min
597
Cloudflare confirmed the data leak after the Salesloft Drift integration was compromised, which opened access to its Salesforce environment. The attackers stole text data from customer support, including 104 API tokens, contact information, and case content.
The company said it was notified of the incident on August 23, 2025, and immediately launched an internal investigation. All stolen tokens were promptly revoked, and affected customers were notified on September 2.
According to Cloudflare, the attackers operated between August 12 and 17 after initial reconnaissance on August 9. They were only able to exfiltrate text from Salesforce case objects — case subjects, correspondence texts, and contact details. Attachments and files remained intact.
The company warned that any data provided in support requests (logs, access keys, passwords) should be considered compromised. During the investigation, Cloudflare did not detect any suspicious activity related to the stolen tokens, but recommends that customers change their passwords and keys immediately.
The attack was part of a large-scale wave of compromises of Salesforce due to a vulnerability in Salesloft Drift. The campaign affected hundreds of companies worldwide. According to researchers, the ShinyHunters group, which specializes in social engineering, including phone calls (vishing) to gain access to OAuth applications, is involved in the attacks.
Since the beginning of the year, the group has become victims of Google, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH brands (Louis Vuitton, Dior, Tiffany & Co.). Similar incidents have also been confirmed by Zscaler and Palo Alto Networks.
While the incident at Cloudflare did not affect its core services and infrastructure, it showed how dangerous supply chain attacks are. Stolen information can be used for targeted attacks against customers. Cloudflare urges all companies to more closely monitor third-party integrations, implement regular key rotation, and minimize the amount of data transferred to support.
