Impact of Salesloft Drift breach outlined by Cloudflare

Impact of Salesloft Drift breach outlined by Cloudflare

In a significant security incident, Cloudflare has confirmed a targeted supply chain attack on its Salesforce integration used for customer support and case management. The attack, which began on August 9, 2025, is believed to have aimed at collecting login credentials and customer information for potential future attacks.

The attacker used the Salesloft Drift chatbot to gain access to Salesforce instances of Salesloft customers. This breach affected Cloudflare and other organizations, with hundreds of Salesforce instances compromised through stolen OAuth tokens. Many customers have been informed about this breach.

Compromised Indicators of Compromise (IOCs)

Python/3.11, aiohttp/3.12.15, TruffleHog, Salesforce-Multi-Org-Fetcher/1.0, Salesforce-CLI/1.0, and python-requests/2.32.4 have been identified as Indicators of Compromise (IOCs). These tools were likely used by the attacker to gain unauthorized access and exfiltrate data.

Data Exfiltrated and Exposed

Data was exfiltrated between August 12 and 17, 2025. The attack exposed customer contact data, basic support case information, and potentially sensitive login credentials. All information transmitted through the support system, including logs, tokens, or passwords, should be considered compromised.

Recommended Actions for Customers

Customers are strongly urged to take the following actions:

1. Review all customer support case data with their third-party providers to determine what sensitive information may have been exposed.
2. Reset the login credentials for all third-party applications and integrations connected to their Salesforce instance, including those previously shared with Cloudflare.
3. Conduct a forensic investigation by reviewing access logs and permissions for all third-party integrations, and checking public materials related to the Drift incident.
4. Enforce a regular rotation schedule for all API keys and other secrets used in their integrations.
5. Implement enhanced monitoring to detect anomalies such as large data exports or logins from unknown locations.
6. Access their support case history via the Cloudflare dashboard under "Support" > "Technical Support" > "My Activities," where they can filter cases or use the "Download Cases" function for a comprehensive review.

Moving Forward

Cloudflare will develop new features to protect against such attacks and present them during the upcoming birthday week. The Cloudforce One team also plans to publish a detailed analysis of the attacker "GRUB1" in the coming weeks to support the security community in defending against similar threats.

In light of this incident, Cloudflare emphasizes the need for stricter scrutiny and monitoring of third-party tools. Organisations are strongly recommended to take measures to secure SaaS applications and third-party integrations, such as disconnecting Salesloft and its applications.

Stay vigilant, and keep your systems secure.

Read also:

• Upcoming iPhone Model: What We Understand Thus Far
• Advantages of Using the Amex Delta Platinum Card: 26 Key Perks
• Supermarket Chain Lidl Collaborates with WWF to Encourage Eco-Friendly Food Consumption, Minimize Food Waste, and Guide People Towards Sustainable Decisions
• Increase in Physician and App Productivity According to Latest Study