Impacts of the Salesloft Drift Breach detailed by Cloudflare
Cloudflare, the web performance and security company, has announced a data breach stemming from a targeted supply chain attack affecting its Salesforce integration with Salesloft Drift. The incident, which occurred between August 12 and 17, 2025, exposed customer support case data and potentially sensitive login credentials.
The breach was discovered last week, and Cloudflare has since launched a comprehensive investigation into the matter. The company plans to publish a detailed report outlining further details about the incident and its internal investigation in the coming weeks.
In the meantime, Cloudflare warns that all information transmitted through the support system - including logs, tokens, or passwords - should be considered compromised. Affected customers were directly notified.
The attacker gained access to Cloudflare's Salesforce instance used for customer support and case management, accessing customer contact data and basic support case information. Identified Indicators of Compromise (IOCs) include IPV4 addresses, user-agent strings linked to malicious tooling, and certain versions of the Salesforce Command Line Interface (CLI) and python-requests.
To mitigate the risk of future attacks, Cloudflare is recommending several measures. Firstly, customers are strongly advised to change their login credentials. Secondly, Cloudflare encourages the enforcement of least privilege by reviewing all third-party applications to ensure they are operating with the minimum access rights required for their function. Admin accounts should not be used for providers, and strict controls such as IP address restrictions and session binding should be implemented for all third-party and business-to-business (B2B) connections.
Moreover, Cloudflare suggests improving monitoring and controls by implementing enhanced monitoring to detect anomalies such as large data exports or logins from unknown locations. It also recommends conducting a forensic investigation by reviewing access logs and permissions for all third-party integrations, checking public materials related to the Drift incident, and conducting a security review of your environment if necessary.
Lastly, Cloudflare emphasizes its responsibility for the choice of tools used following the security breach and announces the development of new features to protect against such attacks during the upcoming birthday week. The Cloudforce One team plans to publish a detailed analysis of the attacker "GRUB1" in the coming weeks to support the security community in defending against similar threats.
In addition, Cloudflare advises disconnecting Salesloft and its Applications from your Salesforce environment and uninstalling any associated software programs or browser extensions. Individual interactions could also contain configuration details and confidential data like access tokens. Customers are also encouraged to review all customer support case data with their third-party providers to determine what sensitive information may have been exposed, particularly for Cloudflare customers, who can access their support case history via the Cloudflare dashboard.
Lastly, Cloudflare recommends implementing a regular rotation schedule for all API keys and other secrets used in your integrations to reduce the risk of exposure. Reset the login credentials for all third-party applications and integrations connected to your Salesforce instance, including those previously shared with Cloudflare in a support case.
As the investigation continues, Cloudflare remains committed to transparency and will keep the public updated on any new developments.
