Cybersecurity company Cloudflare announced yesterday that information shared in its customer support system may have been compromised in a data breach last week.
The breach stemmed from Salesloft’s Drift app, which has recently been linked to multiple incidents involving exposed Salesforce data.
Through this app, attackers were able to access the Salesforce instance Cloudflare uses to manage customer support and internal case data.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
What Happened?
In the company’s official press release, several leaders within Cloudflare’s security team explained what was exposed in the Drift attack, which affected Salesforce databases.
“Because of this breach, someone outside Cloudflare got access to our Salesforce instance, which we use for customer support and internal customer case management, and some of the data it contains.
“Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens.
“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system – including logs, tokens or passwords – should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel.”
Cloudflare’s threat intelligence team, Cloudforce One, attributed the attack to the hacking group GRUB1. Google’s Threat Intelligence Group (GTIG) tracks the same activity under the name UNC6395, which they say shows overlap with the well-known group ShinyHunters – a collective linked to several recent Salesforce-related data attacks.
The Timeline
Between August 12 and 17, GRUB1 carried out a multi-stage attack on Cloudflare’s Salesforce tenant. Using a stolen Salesloft credential, they gained access and mapped the environment before running different queries to extract Salesforce case data and schemas.
Over the coming days, they probed the system to understand its scale, workflows, and limits, building a detailed picture of what Cloudflare’s support processes look like.
After a brief pause, GRUB1 returned on August 16 to confirm the size of the dataset they intended to steal. The next day, they switched to new infrastructure, launched a Bulk API job, and exfiltrated the text of Cloudflare’s support cases in just over three minutes.
They then attempted to delete the job to cover their tracks, and no further activity was observed after this point.
On August 20, Salesloft revoked all Drift-to-Salesforce connections, though Cloudflare wasn’t yet aware they had been impacted. Three days later, Salesforce and Salesloft notified them of suspicious Drift activity, prompting immediate containment.
By August 25, Cloudflare had escalated its response, revoking the Drift account, removing Salesloft software, rotating credentials across connected services, and confirming that only text in Salesforce case objects was exposed, including subject lines, message bodies (sometimes containing tokens or logs), and basic customer contact details.
Cloudflare formally notified all affected customers on September 2 through email and banner notices in their Dashboard, providing necessary information and recommended next steps.
The company has also stated that this may not be an isolated event, and is preparing for the hackers to harvest the credentials and customer information that they’ve gathered for future attacks.
Cloudflare has taken full responsibility for the leak, but has also reassured users that the impact was strictly limited to data in Salesforce case objects, with no compromise of other Cloudflare systems or infrastructure.
“We consider the compromise of any data to be unacceptable. Our customers trust Cloudflare with their data, their infrastructure, and their security. In turn, we sometimes place our trust in third-party tools, which need to be monitored and carefully scoped in what they can access. We are responsible for this. We let our customers down. For this, we sincerely apologize.”
Final Thoughts
We must once again preach that these leaks are not from any vulnerabilities within the core Salesforce platform.
But, Salesforce is being sat next to terms like “hack”, “breach”, and “exposed” in these news stories. For a company that has security as a top priority, this is becoming a far from ideal situation for the CRM giant.
