Redazione RHC : 3 September 2025 13:23
A data intrusion was detected by Cloudflare, where an experienced attacker was able to access and steal sensitive customer data from the company’s Salesforce instance. The breach was part of a larger supply chain attack that exploited a vulnerability in the Salesloft Drift chatbot integration, affecting hundreds of organizations worldwide.
It is important to note that in addition to CloudFlare, the following organizations were also victims of this supply chain incident:
The incident that hit Cloudflare, along with leading companies such as Palo Alto Networks, Zscaler, and even Google, demonstrates how a single point of vulnerability in a cloud SaaS platform can generate devastating ripple effects. A targeted supply chain attack, such as the one that exploited the Salesloft Drift chatbot integration, allowed the threat actor to gain access to sensitive data managed by Salesforce, affecting hundreds of organizations worldwide. The scale of the event highlights how even cybersecurity leaders are not immune when their operations rely on external infrastructure, which becomes a prime target.
In a detailed communication, Cloudflare explained that the threat actor, which its intelligence team has named GRUB1, gained unauthorized access to its Salesforce environment between August 12 and 17, 2025.
To manage customer support and internal operations, the company uses Salesforce. Hackers stole sensitive data from cases stored on Salesforce, most of which were customer support tickets. Among the compromised information was information contained in support case text fields. This data includes customer contact details, subject lines, and the body of case correspondence.
Cloudflare has highlighted that while customers are not required to share sensitive information in support tickets, any credentials, API keys, logs, or passwords that may have been pasted into support case text fields should now be considered compromised. The company reported that no attachments were accessed, and no Cloudflare services or core infrastructure were compromised as a result of this incident.
The investigation revealed that the attack began with a reconnaissance on August 9th, with the initial compromise occurring on August 12th. The threat actor used stolen credentials from the Salesloft Drift integration to systematically access and explore Cloudflare’s Salesforce tenant before exfiltrating support case data on August 17th.
This incident reminds us once again that the cloud, while offering scalability, convenience, and operational flexibility, carries risks that are often not immediately visible. The interconnected nature of SaaS platforms, combined with numerous third-party integrations, exponentially increases the attack surface. In this context, even the most rigorous internal security management procedures risk not being enough: a mistake or vulnerability in a single link in the chain can compromise the entire digital ecosystem.
The main lesson is that blind trust in the cloud is no substitute for a multi-layered security strategy. Companies must adopt zero trust approaches, continuous monitoring, and privilege reduction practices, carefully evaluating every external integration. The August 2025 incident clearly shows us that, in the digital world, resilience depends not only on the strength of internal defenses, but on the ability to predict and contain risks arising from third parties: because today, a single SaaS incident can turn into a global compromise.
Redazione