Cloudflare joins list of Salesforce attack victims, provides detailed timeline
Cloudflare announces it has officially joined the list of hundreds of companies impacted by a continuing rash of third-party attacks on its Salesforce instance, following in the footsteps of Palo Alto Networks, which also made a similar admission on Tuesday.
-
Cloudflare confirms its Salesforce instance was breached via compromised SalesLoft/Drift tokens, exposing customer data between August 12th –17th.
-
The company published a detailed timeline, IOCs, and remediation steps, earning praise for its transparency and response.
-
The attack is part of a broader Salesforce supply chain campaign tied to the “Scattered LapSus$ Hunters,” impacting 700+ companies worldwide.
The San Francisco-based cloud networking company published a post-mortem detailing the parameters of the incident, complete with a detailed list of the attacker’s Indicators of Compromise (IOCs), a play-by-play timeline of the breach, and remediation measures enacted by the threat response team.
Cloudflare says, as of Tuesday, "all impacted customers have been formally notified via email and banner notices in our Dashboard with information about the incident and recommended next steps."
Cory Michal, SaaS security expert and CSO at AppOmni, applauds the clarity put forth by the corporate world's favored network and security provider. “Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting,” Michal says.
“Their blog not only provides clear technical detail but also openly accepts responsibility for the risks posed by third-party integrations,” he explains.
A recent security issue announced by Salesloft has impacted many companies, including Cloudflare. This post provides a timeline of the attack, details our response, and offers security recommendations to help other organizations mitigate the effects of this attack.…
undefined Cloudflare (@Cloudflare) September 2, 2025
Ironically, Cloudflare is not the only major networking company to succumb to the suspected trio of threat actors on Tuesday (more on that below), joining cybersecurity giant and fellow Silicon Valley heavyweight, Palo Alto Networks.
On Monday, cybersecurity firm Zscaler, a direct rival of Palo Alto, also revealed it had fallen victim to the Salesforce supply chain attacks, pushing Google’s latest victim count to well above 700.
Cloudflare’s Salesforce instances, as with Palo Alto, have been targeted via compromised access tokens from SalesLoft Drift, an AI-powered marketing platform that works in tandem with the Salesforce Customer Relationship Management (CRM) platform.
Google’s Threat Intelligence Group (GTIG) first issued an updated advisory about the widespread data theft campaign, which specifically utilizes compromised OAuth tokens for "Drift Email" integration, on August 26th (since updated).
Cloudflare’s security teams say “the threat actor compromised and exfiltrated data from our Salesforce tenant between August 12-17, 2025, following initial reconnaissance observed on August 9, 2025."
The company goes on to identify most of the compromised information as “customer contact information and basic support case data,” while acknowledging that some customer support interactions “may reveal data about their customer configurations and could contain sensitive information like access tokens.”
The blog further alerts its customers that “any information shared with Cloudflare in our support system – including logs, tokens, or passwords – should be considered compromised.”
It urges those customers to rotate any credentials possibly shared with Cloudflare in this way, as well as to practice heightened vigilance in securing SaaS applications and other third-party integrations.
Cloudflare threat intel also warns customers to be prepared, as they believe the attack was not an isolated event and expects “the threat actor intended to harvest credentials and customer information for future attacks.”
Michal says by committing to strengthen their SaaS environments and toolchain security going forward, “Cloudflare demonstrates both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust in the aftermath of supply-chain compromises.”
The group(s) behind the Salesforce attacks
In June, Google’s threat intelligence arm, Mandiant, identified Shiny Hunters (UNC6240) as the hacking group behind the campaign, which industry researchers believe has either merged or is working in tandem with M&S hackers, the Scattered Spider ransomware group.
Add in yet a third threat actor known as LapSus$, and it’s now believed the three cybercriminal groups are not only working together, but have reportedly rebranded themselves as the “Scattered LapSus$ Hunters” gang.
A report from Newsweek on Monday even identified a new Telegram channel for the gang, which has since appeared and reappeared several times, leading Cybernews researchers to call out a possible “PR stunt” from the newly branded group, which likes to taunt its victims (and law enforcement) with provocative posts.
For example, this gem was posted over the weekend and also pinned to the top of their Telegram channel:
Dear Sundar Pichai, IF YOU DO NOT FIRE AUSTIN LARSEN, CHARLES CARMAKAL, AND HAVE GTIG MANDIANT ABANDON THEIR INVESTIGATION ON US, THE FOLLOWING: UNC3944, UNC5537, UNC6040, UNC6240, UNC6395, WE WILL LEAK GOOGLE DB.
The hackers have also claimed breaches at US insurance giant Allianz Life, the popular Workday CRM platform, and the ChangeNow crypto exchange.
Last Thursday, the TransUnion credit bureau informed 4.4 million customers their personal details may have been exposed due to a Salesforce-related attack.
Other major Salesforce victims in recent months have included Farmers Insurance, Air France, KLM, Coca-Cola, Cisco, Australia’s Qantas airline, Adidas, and Louis Vuitton luxury goods maker LVMH.
