Free Access
Blog

Cloudflare Breach via Salesloft Drift: A Stark Reminder of SaaS Supply Chain Vulnerabilities

Introduction

In today’s highly interconnected SaaS ecosystem, security boundaries extend far beyond core infrastructure. Companies increasingly rely on third-party tools for customer support, sales, and automation. These platforms, while essential for operational efficiency, are becoming prime targets for sophisticated attackers. The recent Cloudflare breach, part of a broader campaign abusing integrations like Salesloft and Drift, highlights just how fragile these digital supply chains can be.

Despite rapid incident response and minimal immediate damage, the exposure of API tokens and sensitive customer interactions reveals a systemic risk. When one trusted SaaS provider is compromised, the blast radius can expand across hundreds of organizations. Understanding what happened, how it happened, and what can be done about it is critical for defenders across all sectors.

Let’s break it down using the 5Ws and 1H framework.

Who Was Affected?

Cloudflare, one of the most prominent internet infrastructure providers, confirmed that it was impacted by a supply chain breach involving its Salesforce CRM system. This system was used for managing customer support tickets and internal case tracking.

While Cloudflare was the direct victim, the consequences extend to its customers whose data was stored in these support tickets. Furthermore, the breach is part of a larger campaign that has also affected major global organizations including:

  • Google
  • Cisco
  • Qantas
  • Allianz Life
  • Workday
  • Farmers Insurance
  • Adidas
  • LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co)
  • Palo Alto Networks

 

This was not an isolated incident, but a multi-organization supply chain compromise.

What Happened?

Between August 12 and 17, 2025, threat actors gained unauthorized access to a Salesforce instance used by Cloudflare. They stole 104 internal API tokens and text-based customer support case data. These cases may have included:

  • API keys
  • Access tokens
  • Passwords
  • Log files
  • Configuration details
  • Contact information

 

No file attachments were taken, but any secrets shared by customers via support tickets during that time should be considered compromised.

Cloudflare proactively rotated the affected tokens and reached out to impacted customers. Still, the company strongly recommended that all credentials shared over the support channel be updated.

When Did It Happen?

  • August 9, 2025: Initial reconnaissance by the attackers

  • August 12 to 17, 2025: Exfiltration of Salesforce case object data

  • August 23, 2025: Cloudflare was notified of the breach

  • September 2, 2025: Cloudflare publicly disclosed the incident and notified affected customers

This timeline places the attack within a broader wave of OAuth-related breaches seen across Salesforce-linked platforms in 2025.

Where Did It Originate?

The breach originated through a supply chain vector, specifically third-party tools like Salesloft and Drift, which integrate directly into Salesforce environments. Attackers used voice phishing (vishing) and malicious OAuth applications to gain entry.

This technique allows attackers to trick employees into authorizing harmful integrations that appear legitimate. Once inside, the attackers targeted Salesforce case objects where customer tickets and internal notes were stored.

Other victims of similar breaches have confirmed that attackers used keyword searches for secrets such as “AKIA,” “password,” and “Snowflake token,” which implies an organized and credential-focused campaign.

Why Does It Matter?

The breach underscores the growing importance of supply chain security within SaaS ecosystems. In this case, attackers never breached Cloudflare’s product infrastructure or core systems. Instead, they exploited a highly trusted, deeply embedded CRM integration.

This attack matters because:

  • It shows how sensitive data can leak from support systems, even when products remain untouched

  • It reflects a shift in attacker focus, targeting the communications layer between companies and their customers

  • It introduces a credential harvesting risk that could lead to secondary attacks across platforms and cloud environments

It also reinforces that text-only breaches are still dangerous, as the exfiltrated content can contain secrets, credentials, and operational insight.

How Did It Happen?

  1. Threat actors launched vishing campaigns to gain employee trust and install malicious OAuth apps

  2. Those apps accessed Salesforce, reading support ticket content

  3. Attackers searched for sensitive keywords, focusing on credentials, API tokens, and login details

  4. No attachments were accessed, only textual content embedded in the case objects

  5. Exfiltrated data was used for potential follow-on attacks or credential extortion

Palo Alto Networks, another victim in the same campaign, observed nearly identical tactics. This confirms that the incident was part of a broader and coordinated supply chain attack.

ThreatMon Insight: Supply Chain Intelligence is No Longer Optional

The Cloudflare breach highlights a critical truth about modern cybersecurity. Defenders must expand their visibility beyond their own assets and infrastructure. Risk now resides not only inside your firewall, but also across the dozens of third-party applications and vendors your organization relies on every day.

Your CRM is not just a customer database. Your support ticketing tool is not just a helpdesk. Each one is a potential window into your most sensitive workflows. When these tools are integrated via OAuth and enriched with APIs, they become powerful and vulnerable components of your digital supply chain.

This is why ThreatMon’s Supply Chain Intelligence Module exists. 

It is designed to:

  • Map your entire ecosystem of connected SaaS tools and third-party integrations

  • Detect malicious or unauthorized OAuth apps

  • Continuously monitor for leaked credentials, tokens, or API keys

  • Provide real-time alerts based on known attacker patterns and toolchains

We believe that defending your organization starts with understanding every partner, app, and vendor that has access to your data. With our module, you gain the tools to proactively reduce supply chain exposure and stop attacker movement before it begins.

✅ Stay ahead of third-party risk.

Explore ThreatMon’s Supply Chain Intelligence Module today.

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about Securing the Games- cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues

advanced divider

Subscribe to our blog newsletter to follow the latest posts