Earlier today, we reported on Palo Alto Networks getting caught in a supply chain attack where hackers used stolen OAuth tokens from the Salesloft Drift AI chatbot to get into connected Salesforce accounts.
Now, Cloudflare has put out an announcement saying it was hit by the exact same attack vector between August 12 and August 17 and that you should treat any information you have shared with its support teams as compromised. This means any logs, tokens, or passwords shared in support tickets are potentially in the hands of the attackers.
According to Cloudflare, none of its services or infrastructure was affected, and it has reached out directly to all impacted customers. Just as with Palo Alto Networks, Cloudflare claims the breach was limited to its Salesforce environment, exposing "basic support case data" and "customer contact information."
However, there could be instances where support interactions contain sensitive configuration details like access tokens, hence the advice to immediately rotate any credentials shared through that channel. Cloudflare also says it found "no suspicious activity" after a search of the compromised data for tokens or passwords, but it did discover and rotate 104 Cloudflare API tokens out of an abundance of caution.
In its blog post, Cloudflare explained its relationship with Salesforce, which it uses to keep track of its customers and manage support interactions. The company utilized the Salesloft Drift integration, which Salesforce offers as a way for website visitors to make contact.
The attackers exploited this connection to get into Salesforce "cases" that allow Cloudflare employees to communicate with customers. The hackers were able to access the subject line of the case, the body of the correspondence, and customer contact information like company name, email address, and phone number. The attack only exfiltrated text-only data; file attachments were not accessed.
Cloudflare advises users to disconnect all Salesloft connections from their Salesforce environment and uninstall any related software or browser extensions. The company also recommends rotating the credentials for all third-party applications connected to your Salesforce instance and implementing a regular rotation schedule for API keys.
It is a good idea to review past support case data to identify what sensitive information may have been exposed. If you"re a Cloudflare customer, you can do so by checking your support case history in the dashboard under Support > Technical Support > My Activities, where you can also download your cases for a comprehensive review.