GBHackers reports:
Cloudflare has disclosed a significant data breach affecting customer information following a sophisticated supply chain attack targeting its Salesforce integration with Salesloft Drift.
The incident, which occurred between August 12-17, 2025, resulted in the exposure of customer support case data and potentially sensitive credentials shared through support channels.
The cybersecurity company became aware of suspicious activity within its Salesforce tenant last week after being notified by Salesforce and Salesloft about a broader security incident.
The attack was orchestrated by an advanced threat actor designated as GRUB1, who exploited compromised OAuth credentials from the Salesloft Drift chatbot integration to access Cloudflare’s customer support system.
The compromised data includes customer contact information, support case subject lines, and the full body of customer correspondence with Cloudflare support.
Read more at GBHackers. What Cloudflare calls “GRUB1” is what Google Threat Intelligence Group is tracking as UNC6395, a threat actor or group that overlaps with ShinyHunters.
