Cloudflare Confirms Salesforce Compromise Amid Escalating Supply Chain Attacks

Sep 19, 2025UncategorizedComments (0)

Cloudflare has confirmed it was the victim of a significant cyberattack over the Thanksgiving holiday. The attackers, believed to be a state-sponsored group, managed to access Cloudflare's internal Atlassian server, which included a Confluence wiki, a Jira bug database, and the Bitbucket source code management system. This breach highlights the growing threat of supply chain attacks, where attackers target a company's partners or software providers to gain access to their primary target.

This incident is particularly alarming because it involves several major players in the tech industry and demonstrates a sophisticated, multi-stage attack method. Understanding the details of this breach is crucial for any organization looking to strengthen its security posture. This post will review the Cloudflare cyberattack, explain the methods used by the attackers, and discuss the broader implications for cybersecurity and supply chain vulnerabilities.

How the Attack Happened?

The breach began with a sophisticated phishing attack that led to the compromise of Okta, a widely used identity and access management provider. On October 27, 2023, Okta disclosed that attackers had used a stolen credential to access its support case management system. This initial breach was the first domino to fall.

The attackers then used the access gained from the Okta system to pivot and target Cloudflare. They were searching for sensitive information within Okta's customer support tickets, specifically looking for access tokens and keys that could be used to breach other systems. By leveraging this information, the attackers were able to move laterally and compromise Cloudflare’s systems.

A Thanksgiving Breach

Cloudflare detected the malicious activity on November 23, Thanksgiving Day, and immediately launched an investigation. The cyberattack had used an access token and three service account credentials, which were stolen during the Okta incident, to gain access to Cloudflare's Atlassian server. This gave them access to a trove of internal documentation and source code.

Cloudflare's security team, C- SIRT, quickly took action. They cut off the attacker's access on November 24 and began a thorough review to understand the scope of the breach. The investigation, code-named "Code Red," involved rotating over 5,000 production credentials, segmenting test and staging systems, and conducting forensic analyses on thousands of systems. The team confirmed that the attackers had been active on their systems between November 14 and November 24.

The Role of Salesforce and Other Partners

The investigation revealed that the attackers had also attempted to compromise a Cloudflare server that used Salesforce's Sales Cloud for customer relationship management. Fortunately, Cloudflare’s use of multi-factor authentication (MFA) on all production systems prevented the attackers from accessing customer data. This detail underscores the critical importance of MFA as a defense against credential theft.

This cyberattack is a classic example of a supply chain attack. The attackers did not breach Cloudflare directly at first. Instead, they targeted its software and service providers—Okta, Atlassian, and attempted to leverage Salesforce—to find a weak link. This method is becoming increasingly common and poses a significant threat to organizations of all sizes. The interconnectedness of modern business software means that a vulnerability in one system can create a cascade of security failures across an entire ecosystem.

Reviewing the Damage and Response

According to Cloudflare, the attackers accessed the Confluence wiki, Jira database, and Bitbucket source code management system. They were specifically looking for data related to the architecture, security, and management of Cloudflare’s global network. Although the attackers viewed some source code, Cloudflare’s robust operational controls prevented them from making any changes. Crucially, no customer data or sensitive information was exfiltrated from these systems.

The company's response was swift and comprehensive. Their "Code Red" project aimed to ensure that no stone was left unturned. The security team worked through the holidays to remediate the incident, harden their security posture, and ensure the attackers were completely locked out. This included rotating thousands of credentials and performing deep forensic analysis on all potentially affected systems.

Cloudflare's transparency throughout this process has been notable. By publicly detailing the attack vectors and their response, they have provided valuable insights for the entire security community.

Broader Implications for Ransomware and Cyberattacks

This incident serves as a stark reminder of the evolving threat landscape. State-sponsored threat actors are highly sophisticated, patient, and well-resourced. They are capable of executing complex, multi-stage attacks that exploit vulnerabilities across the entire supply chain.

Key takeaways for organizations include:

  • The Criticality of MFA: Multi-factor authentication is no longer optional. It is a fundamental security control that can prevent attackers from using stolen credentials to access sensitive systems. Cloudflare's experience shows that MFA was the last line of defense that protected their customer data.

  • Supply Chain Vulnerabilities: Your organization's security is only as strong as your weakest partner. It is essential to conduct thorough security reviews of all third-party vendors and software providers. Understand what data they have access to and what their security protocols are.

  • Assume Breach Mentality: Every organization should operate under the assumption that a breach is not a matter of if, but when. This mindset encourages proactive security measures, continuous monitoring, and the development of a robust incident response plan.

  • The Importance of Incident Response: Having a well-rehearsed incident response plan is critical. Cloudflare's ability to quickly detect, contain, and remediate the attack minimized the potential damage.

For those conducting a ransomware review or assessing their own security, this event provides a powerful case study. It shows how a seemingly minor security lapse at a third-party provider can escalate into a major incident for a primary target.

Protecting Your Organization

The Cloudflare cyberattack is a wake-up call. It demonstrates that even the most security-conscious companies are vulnerable. Attackers are constantly innovating, and our defenses must evolve to keep pace.

Based on the lessons from this breach, here are actionable steps your organization can take:

  1. Implement Universal MFA: Enforce MFA across all systems, without exception. This is one of the most effective measures to prevent unauthorized access.

  2. Vet Your Vendors: Develop a comprehensive vendor risk management program. Regularly assess the security posture of your partners and ensure they meet your security standards.

  3. Enhance Monitoring and Detection: Invest in advanced threat detection and response capabilities. Continuous monitoring of your network and systems is essential to quickly identify and respond to malicious activity.

  4. Practice Your Incident Response Plan: Regularly test and update your incident response plan. Ensure that everyone on your team knows their roles and responsibilities in the event of a breach.

By learning from incidents like the Cloudflare attack, we can collectively strengthen our defenses and build a more resilient digital ecosystem.