Skip to main content
close search
site logo

Cloudflare, Proofpoint say hackers gained access to Salesforce instances in attack spree

The breaches are part of hundreds of potential supply chain attacks linked to Salesloft Drift.

Published Sept. 3, 2025
David Jones's headshot
Reporter
Inside Cloudflare’s offices in San Francisco, California.
Inside Cloudflare’s offices in San Francisco, Calif. The company was among hundreds potentially impacted by a supply chain attack linked to Salesloft Drift. Permission granted by Cloudflare

In separate disclosures, Cloudflare Inc. and Proofpoint Inc. on Tuesday said they were impacted by the August supply chain attacks linked to Salesloft Drift. 

The disclosures mark the latest in a wave of attacks, where a threat actor used compromised credentials linked to the Salesloft Drift AI chatbot to gain access to the Salesforce instances at hundreds of companies. 

Cloudflare said it was notified last week of the incident, in which an outside attacker gained access to the text fields of support cases in its Salesforce instances, according to a blog post released Tuesday.

Despite being part of a much larger supply chain attack, the company took full responsibility for the breach and issued an apology. 

“We are responsible for the tools we use in support of our business,” company executives said in the blog post. “For that, we sincerely apologize.”

The incidents follow disclosures by Palo Alto Networks and Zscaler of their customer Salesforce environments being impacted by the supply chain attack. 

After first conducting reconnaissance activities on Aug. 9, the attacker stole data from the company’s Salesforce tenant between Aug. 13 and Aug. 17, according to the blog post. Cloudflare said the “exposure was limited to Salesforce case objects,” which include contact information related to a support case, subject lines and the actual case correspondence.

The company said after conducting a search through the compromised data for tokens and passwords, it found 104 Cloudflare API tokens. There is no suspicious activity linked to the tokens, but Cloudflare rotated all of them as a precaution. 

It also notified customers if their data had been compromised. The company said no Cloudflare services or infrastructure have been compromised due to the breach.

Cloudflare said it does not ask customers to share confidential information, such as secrets, credentials or API keys, during these support interactions; however, in some troubleshooting cases confidential information may sometimes be passed along. 

Cloudflare disabled the Drift integration to remove the threat actor’s access and launched a forensic analysis, according to the blog post. The company has also disconnected third-party integrations with Salesforce and rotated credentials for all of its third-party Internet services and accounts.

Proofpoint said hackers gained access to its Salesforce tenant and were able to view information stored on its instance, according to a blog post. The company said it will contact customers if it finds out any information was sensitive data was misused or accessed. 

Proofpoint said it also deactivated the Drift application and removed it from its Salesforce environment. 

Proofpoint said there is no evidence the attacks impacted its software, services, internal network or customer-protected data. 

Meanwhile, Okta said it was able to block attempts to access its Salesforce environment using stolen tokens. The company claims it was able to thwart the attack due to enforcement of inbound IP restrictions, according to a blog post released Tuesday.

Editors' picks

Company Announcements

View all | Post a press release
Community Connections Data Breach Investigation
From Migliaccio & Rathod LLP
August 28, 2025
Tradewinds Networks and Ecrio Launch Next-Gen Edge AI Infrastructure for Aviation with GuardTo…
From Tradewinds Networks, Inc.
August 22, 2025
DaVita Data Breach Investigated by Migliaccio & Rathod LLP
From Migliaccio & Rathod LLP
August 14, 2025
DNS4EU Public Service Welcomed Across Europe; Whalebone’s DNS4GOV Attracts Widespread Governme…
From Whalebone
August 26, 2025
Whalebone logo
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.