Cloudflare Data Breach Linked to Salesloft Drift Supply Chain Attack
▼ Summary
– Cloudflare was breached as part of a supply-chain attack involving Salesloft Drift, with attackers accessing its Salesforce instance for customer support data.
– The breach exposed 104 Cloudflare API tokens and customer information, including contact details and potentially sensitive data shared in support tickets.
– Cloudflare rotated all compromised tokens and notified customers, though no suspicious activity linked to the tokens has been detected.
– The threat actors stole only text-based data from support cases between August 12-17, intending to harvest credentials for future targeted attacks.
– This incident is part of a broader wave of attacks targeting Salesforce customers, with groups like ShinyHunters using social engineering to steal data for extortion.
Cloudflare has become the latest organization affected by a widespread supply chain attack involving Salesloft Drift, revealing unauthorized access to its internal Salesforce customer support system. The breach exposed 104 API tokens and sensitive customer data, prompting immediate security measures and customer notifications.
Attackers infiltrated a Salesforce instance used by Cloudflare for managing customer support cases, gaining access to API tokens and support ticket contents. The company was alerted to the intrusion on August 23 and began notifying affected customers by September 2. Although no malicious activity has been detected involving the stolen tokens, Cloudflare proactively rotated all compromised credentials as a precaution.
According to the company, the stolen data includes customer contact details, support case information, and potentially sensitive configuration data or credentials shared by customers during support interactions. Cloudflare strongly advises all customers to rotate any passwords, tokens, or access keys they may have shared through their support system, as these are now considered compromised.
The breach occurred between August 12 and 17, following an initial reconnaissance phase on August 9. Threat actors extracted text-based data from Salesforce case objects, including subject lines, ticket contents, and customer information such as company names, email addresses, and domain details. No file attachments were taken during the incident.
Cloudflare believes this was not an isolated event but part of a broader campaign to harvest credentials and customer information for future targeted attacks. The company warned that with hundreds of organizations affected by the Drift compromise, threat actors are likely to use the stolen data in subsequent phishing or extortion attempts.
This incident is part of a larger trend of Salesforce-related breaches this year. The ShinyHunters extortion group has been actively targeting Salesforce customers using voice phishing tactics to trick employees into authorizing malicious OAuth applications. Once linked, these apps enable attackers to exfiltrate databases used in extortion schemes.
Since June, multiple high-profile breaches have been tied to these social engineering tactics, impacting companies like Google, Cisco, Adidas, and several LVMH subsidiaries. While some researchers suspect the Salesloft Drift attacks involve the same threat actors, Google has not found definitive evidence linking the campaigns.
Palo Alto Networks also confirmed over the weekend that it experienced a similar breach, with attackers stealing customer support data including contact information and text comments. The company emphasized that the incident was confined to its Salesforce CRM and did not affect its products or services.
During the intrusion, Palo Alto Networks observed attackers searching for sensitive secrets such as AWS access keys, VPN credentials, Snowflake tokens, and other keywords like “password” or “secret.” This behavior suggests the attackers aimed to compromise additional cloud platforms and escalate their data theft efforts.
(Source: Bleeping Computer)