How did attackers gain access to Cloudflare's customer data?

The breach was caused by compromised OAuth credentials associated with Salesloft's Drift chat agent's Salesforce integration. This enabled attackers to exfiltrate data from hundreds of organizations globally that were customers of Salesloft, including Cloudflare's customer support information.

When was Cloudflare notified about the data breach?

Cloudflare was notified of the breach on August 23, 2025, by Salesforce and Salesloft. The company then informed all impacted customers on September 2, 2025, approximately 10 days after being notified and about two weeks after the attack ended.

What types of data were exposed in the Cloudflare breach?

The exposed data includes customer contact information (company names, email addresses, phone numbers, domain names, country information), subject lines of Salesforce support cases, body content of support cases which may include API keys, tokens, passwords, logs, or other sensitive information submitted by customers, basic support case data and correspondence, and 104 Cloudflare API tokens.

Were any Cloudflare API tokens compromised in the breach?

Yes, 104 Cloudflare API tokens were exposed during the breach. However, all of these tokens were subsequently rotated as a precautionary measure to prevent any potential misuse by the attackers.

What infrastructure did the attackers use to target Cloudflare?

The threat actor operated from IP addresses 44.215.108.109 (AWS-based infrastructure) and 208.68.36.90 (DigitalOcean-based infrastructure), conducting reconnaissance of Cloudflare's Salesforce environment over several days before executing the data exfiltration.

How many Cloudflare customers were affected by the breach?

The number of affected Cloudflare customers and individuals has not been disclosed by the company. However, Cloudflare did provide direct notification to customers whose data was potentially compromised, along with specific recommendations for protection.

Was this Cloudflare breach part of a larger attack campaign?

Yes, this was part of a broader supply chain attack that enabled attackers to exfiltrate data from hundreds of organizations globally that were customers of Salesloft Drift. The compromised OAuth credentials gave attackers access to multiple companies' Salesforce environments that used the Drift integration.

What should Cloudflare customers do about this data breach?

Customers should monitor official communications from Cloudflare regarding the incident, rotate any API keys or sensitive information that may have been shared in support cases, be vigilant for phishing attempts using exposed contact information, review and update security practices for sharing sensitive information in support communications, and follow any specific recommendations provided by Cloudflare's incident response team. Given that API tokens were exposed, customers should also review their account activity for any unauthorized access or changes.

Incident

Cloudflare reports customer data breach in Salesloft Drift supply chain attack

Q: What happened to Cloudflare in the Salesloft Drift data breach?

Cloudflare's customer support data was compromised as part of a supply chain attack targeting the Salesloft Drift integration with Salesforce systems. The incident occurred between August 12-17, 2025, after initial reconnaissance on August 9, exposing customer information stored in Cloudflare's Salesforce instance used for customer support and internal case management.

published: Sept. 3, 2025

Learn More

Cloudflare is reporting that customer support data was compromised as part of a supply chain attack targeting the Salesloft Drift integration with Salesforce systems.

The incident occurred between August 12-17, 2025, after initial reconnaissance on August 9, 2025. It exposed customer information stored in the company's Salesforce instance used for customer support and internal case management.

The cause of the breach were compromised OAuth credentials associated with Salesloft's Drift chat agent's Salesforce integration. This enabled the attackers to exfiltrate data from hundreds of organizations globally that were customers of Salesloft. Cloudflare was notified of the breach on August 23, 2025, by Salesforce and Salesloft, and informed all impacted customers on September 2, 2025.

Exposed data includes:

Customer contact information (company names, email addresses, phone numbers, domain names, country information)
Subject lines of Salesforce support cases
Body content of support cases (freeform text that may include API keys, tokens, passwords, logs, or other sensitive information submitted by customers)
Basic support case data and correspondence
104 Cloudflare API tokens (all subsequently rotated as a precaution)

The number of affected Cloudflare customers and individuals has not been disclosed.

The threat actor, operating from IP addresses 44.215.108.109 (AWS-based infrastructure) and 208.68.36.90 (DigitalOcean-based infrastructure), conducted reconnaissance of Cloudflare's Salesforce environment over several days.

Cloudflare disabled the compromised Drift integration, revoked client IDs and secrets, purged all Salesloft software and browser extensions from their systems, and expanded credential rotation to all third-party integrations as a precautionary measure. All identified API tokens were rotated proactively, and customers whose data was potentially compromised received direct notification with specific recommendations.

Cloudflare reports customer data breach in Salesloft Drift supply chain attack

Read More
Monument Health reports data breach, impacting 2,500 patients
Enbridge Gas reports third-party data breach
CoxHealth reports GoAnywhere related data breach impacting thousands …
Lorain Emergency Physicians report third party breach through …
Third party supplier ransomware exposes Manchester Police officers