Cloudflare has confirmed that its Salesforce instance was compromised in the ongoing third-party attack campaign tied to SalesLoft and Drift integrations, a breach that has now impacted more than 700 companies worldwide. The San Francisco-based networking company published an unusually detailed post-incident report, including a timeline, indicators of compromise (IOCs), and specific remediation measures, earning praise from industry experts for its transparency.
How the Breach Was Detected and When it Occurred
According to Cloudflare, the intrusion began with reconnaissance activity observed on August 9, 2025. Attackers then exfiltrated customer data between August 12 and August 17, using compromised OAuth tokens tied to SalesLoft Drift, an AI-powered marketing tool integrated with Salesforce CRM.
The company said exposed data primarily involved customer contact details and basic support case records, though it acknowledged some interactions contained sensitive information such as configuration details and even access tokens.
Cloudflare issued a strong advisory to customers:
“Any information shared with Cloudflare in our support system – including logs, tokens, or passwords – should be considered compromised.”
The company urged customers to rotate credentials, secure SaaS applications, and heighten monitoring of third-party integrations.
Cloudflare’s Transparency and Industry Recognition
Cloudflare immediately notified all impacted customers via email and dashboard banners, providing context and recommended actions. Security experts highlighted the openness of the disclosure.
Cory Michal, CSO at SaaS security firm AppOmni, commented:
“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail but also openly accepts responsibility for the risks posed by third-party integrations.”
How This Breach Fits Into a Larger Campaign
Cloudflare’s incident is part of a broader Salesforce supply chain compromise that has already affected Palo Alto Networks, Zscaler, and hundreds of other organizations. Google’s Threat Intelligence Group warned on August 26 that attackers were abusing compromised OAuth tokens from Drift Email integrations to access Salesforce tenants at scale.
Victims of the campaign include major global brands such as Farmers Insurance, Air France, KLM, Coca-Cola, Cisco, Qantas, Adidas, and LVMH. Last week, TransUnion confirmed that 4.4 million customers had their data exposed via Salesforce.
Threat Actor Attribution and Emerging Collective
Investigators have linked the campaign to a newly branded criminal alliance called Scattered LapSus$ Hunters. The group is believed to combine members from ShinyHunters, Scattered Spider, and Lapsus$, three of the most active threat groups in recent years.
Mandiant previously attributed the activity to ShinyHunters (UNC6240) but now assesses that the three groups are working together, either as a merged entity or under a loose cooperative banner.
The hackers have amplified their presence with a Telegram channel, where they post threats, vendor lists, and provocative messages aimed at law enforcement and corporate executives. In one message pinned to the top of the channel, they wrote:
“Dear Sundar Pichai, IF YOU DO NOT FIRE AUSTIN LARSEN, CHARLES CARMAKAL, AND HAVE GTIG MANDIANT ABANDON THEIR INVESTIGATION ON US, WE WILL LEAK GOOGLE DB.”
The collective has also claimed intrusions against Allianz Life, Workday, and ChangeNow, signaling ambitions that go beyond Salesforce exploitation.
What Customers Should Expect Going Forward
Cloudflare’s internal threat intelligence team has warned that the attack was not an isolated incident and that credentials and data harvested during this campaign will likely be used in future attacks.
The company has pledged to reinforce its SaaS security stack, harden access controls, and improve third-party risk management. Analysts say these steps, combined with transparent reporting, set a higher standard for incident response in the wake of supply chain compromises.
As Cory Michal noted, Cloudflare’s approach “demonstrates both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust.”
