Cloudflare has confirmed it was impacted by the Salesloft Drift AI chatbot breach, joining Palo Alto Networks and Zscaler as victims. The attack, which exploited stolen OAuth tokens, allowed unauthorised access to Salesforce tenants. Cloudflare's investigation revealed that hackers, identified as GRUB1, exfiltrated text data from support cases between August 12 and August 17.
While Cloudflare asserts that its core services and infrastructure remained secure, the breach exposed customer contact information and potentially sensitive configuration details within support interactions. The company has notified affected customers and rotated 104 API tokens as a precaution, despite finding no evidence of suspicious activity. Cloudflare is advising users to rotate credentials for third-party applications connected to Salesforce and implement regular API key rotations.
Salesloft is taking its Drift AI chat agent offline as investigations into the widespread attacks continue. The root cause of the initial access to Salesloft Drift remains unconfirmed. Cloudflare has apologised to its customers for the incident.
