Ddos 
Renowned network services provider Cloudflare has also emerged as a victim in the recent Salesforce CRM attack, which stemmed from a supply chain compromise. Hackers exfiltrated OAuth tokens from the Salesloft Drift AI chatbot and leveraged them to gain access to Salesforce accounts.
Salesloft, a U.S.-based intelligent sales solutions provider, was at the heart of the Salesforce CRM database exposure recently disclosed by Google. The company’s security shortcomings led to credential leaks affecting organizations that relied on its services.
It is important to note that Salesforce CRM itself was not directly compromised. Instead, the breaches arose either from employees of affected clients falling victim to phishing attacks, or—more prominently—from supply chain intrusions involving third-party services like Salesloft, as seen in the cases of Google and Cloudflare.
Cloudflare confirmed that its data exposure impacted customer support submissions filed between August 12 and August 17, 2025. Any content shared within those tickets—including descriptions, attached logs, passwords, tokens, or other sensitive credentials—may have been accessed by attackers.
Out of caution, Cloudflare has begun notifying affected customers, urging immediate password resets and token rotations. While no suspicious activity has been observed to date, the company did verify that stolen tokens were discovered, prompting the rotation of 104 Cloudflare API tokens.
In a detailed blog post, Cloudflare explained how these third-party integrations are used. Salesforce CRM serves as the backbone for tracking customers and managing support workflows, while Salesloft Drift is integrated to provide a real-time communication platform for website visitors.
Though Salesforce and Salesloft are distinct companies, both provide critical sales and customer support functionalities, with APIs enabling direct interconnection. Because Salesloft suffered the security lapse, the consequences cascaded into a broader supply chain impact.
Cloudflare has strongly recommended that all users disconnect Salesloft from their Salesforce environments, uninstall any related applications or browser extensions, and—most critically—replace third-party application credentials tied to Salesforce CRM instances to prevent continued unauthorized access.
Related Posts:
- The Largest DDoS Attack in History: Cloudflare Fights Back
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
