SEV-1public access

Salesforce support-case data exfiltrated via compromised Salesloft Drift OAuth token

Cloudflare · Source

Started: Aug 9, 2025
Duration: 14d 9m
Users affected: Not disclosed
Revenue impact: Not disclosed
Blast radius: Cloudflare's Salesforce tenant; case-object data including customer contact info and support correspondence (no Cloudflare infrastructure or services)
Services: salesforce, salesloft-drift

authcredential rotationdata exposuresupply chainthird-party saas

Join the waitlist

Aftermath helps you ship structured post-mortems like this one for your own incidents. Encore keeps narrative, timeline, lessons, and action items in one place so the document stays useful after the incident is closed. Join the waitlist on the homepage when you want that workflow for your organization.

Join the waitlist

Summary

An advanced threat actor Cloudflare tracks as GRUB1 (overlapping with Google's UNC6395) exploited the Salesloft Drift integration with Salesforce by using stolen OAuth credentials to access Cloudflare's Salesforce tenant. The actor performed reconnaissance starting August 9, accessed the tenant on August 12, and used Salesforce's Bulk API 2.0 on August 17 to exfiltrate the text of customer support cases in roughly three minutes. The attacker then deleted the Bulk API job to hide evidence. The breach was part of a broader supply-chain campaign affecting hundreds of Salesloft customers; Cloudflare disabled Drift, rotated 104 customer-issued API tokens, and notified affected customers.

Impact

Customer contact information, case subject lines, and the body of support correspondence stored in Salesforce case objects were exfiltrated. Some support cases contained sensitive information customers had pasted in for troubleshooting, including 104 valid Cloudflare API tokens that were subsequently rotated. No Cloudflare infrastructure, services, or authentication systems were compromised, and no attachments or files within Salesforce were accessed.

Root cause

Salesloft's Drift integration with Salesforce was compromised upstream, leaking OAuth tokens that GRUB1 used to authenticate as the Drift integration to Cloudflare's Salesforce tenant.

Customer support workflows did not enforce automatic secret detection on inbound case text, so customers could (and did) paste API tokens and credentials into support cases.

Vendor notification timing left a gap: Salesloft revoked Drift-to-Salesforce connections on August 20 but Cloudflare was not yet notified at that point.

Cloudflare's third-party SaaS integrations had broader access to Salesforce data than was strictly necessary, expanding the blast radius of any single integration compromise.

Resolution

Cloudflare disabled the Drift user account, revoked its client ID and secrets, and purged Salesloft software and browser extensions from internal systems. The team rotated credentials across all third-party Salesforce integrations, scanned exfiltrated case data for secrets, rotated 104 affected Cloudflare API tokens, and notified customers whose data was exposed.

Timeline

11:51DETECT
GRUB1 attempts to validate a Cloudflare-issued API token against the Salesforce API using Trufflehog as user-agent; request fails with 404, indicating the token is invalid.
salesforce
22:14DETECT
GRUB1 gains access to Cloudflare's Salesforce tenant using stolen Salesloft Drift integration credentials; data exfiltration period begins.
salesforce
11:11MITIG
Threat actor launches a Salesforce Bulk API 2.0 job and exfiltrates the text of support cases in roughly three minutes.
salesforce
11:15MITIG
Threat actor deletes the Bulk API job in an attempt to cover their tracks; no further activity is observed from this actor.
salesforce
12:00MITIG
Salesloft revokes Drift-to-Salesforce connections across its customer base and posts a public notice; Cloudflare is not yet notified.
salesloft-drift
00:00INVEST
Cloudflare receives notification from Salesforce and Salesloft about unusual Drift-related activity; incident response begins.
salesforce
06:00MITIG
Drift user account disabled, client ID and secrets revoked, Salesloft software and browser extensions purged from Cloudflare systems.
salesloft-drift
12:00RESOLV
Credential rotation across all third-party Salesforce integrations completes; 104 Cloudflare API tokens identified in case data are rotated; containment confirmed.
salesforce
12:00RESOLV
Cloudflare publicly discloses the incident and notifies all affected customers.
salesforce

Attribution

Cloudflare

By Security Response / Cloudforce One

Published Aug 23, 2025

View original source

Lessons

OAuth-mediated SaaS integrations are a single-credential supply chain; one compromised vendor token gives access equivalent to the integration's permissions across every customer.
Customer support is a high-value secondary target because customers paste secrets, configurations, and credentials into cases for debugging.
Vendor disclosure timelines create a containment gap; defenders should not rely on vendor notification as the primary trigger for response.
Bulk API operations and unusual user agents are strong signals when correlated with OAuth integration identity and should be alerted on by default.
Even thoroughly detected and contained incidents need transparent disclosure, because the same campaign is likely affecting hundreds of organizations simultaneously.

Action items

Disable and re-onboard all third-party SaaS integrations under stricter access controls and shorter token lifetimes.
Implement automated secret scanning on inbound support case text using both regex and entropy-based detection.
Enforce IP-restricted and time-bound OAuth tokens to limit blast radius from any single compromise.
Rotate all credentials that may have appeared in the exfiltrated case dataset; weekly secret rotation across the third-party ecosystem.
Publish detailed analysis of GRUB1 tradecraft to support the broader community defending against the same campaign.