Cloudflare
Company Details
Linkedin ID:
cloudflare
Website:
Employees number:
6,146
Number of followers:
1,097,651
NAICS:
541514
Industry Type:
Homepage:
cloudflare.com
IP Addresses:
0
Company ID:
CLO_2342578
Scan Status:
In-progress
Cloudflare Company CyberSecurity Posture
cloudflare.com
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business. Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.
Cloudflare A.I CyberSecurity Scoring
Cloudflare Risk Score (AI oriented)Between 650 and 699
Cloudflare
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Cloudflare Global Score (TPRM)XXXX
Cloudflare
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Cloudflare Company CyberSecurity News & History
Past Incidents
11
Attack Types
4
Cloudflare
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Cloudflare confirmed it was impacted by a sophisticated **supply chain attack** targeting the **Salesloft Drift-Salesforce integration**, part of a broader campaign (UNC6395) that compromised over **700 organizations**. Hackers exploited stolen credentials to exfiltrate data from Cloudflare’s **Salesforce support cases** between **August 12–17, 2024**, following reconnaissance on **August 9**. The breach exposed: - **Customer contact details** (emails, phone numbers, company domains). - **Support case contents**, including **freeform text** (potentially containing **API tokens, logs, or passwords** shared by customers). - **104 Cloudflare API tokens**, though no malicious use was detected (all tokens were rotated). While **no Cloudflare infrastructure was compromised**, the attack risked **credential theft for downstream systems** (e.g., AWS keys, Snowflake tokens). Cloudflare disabled Drift, purged Salesloft integrations, and notified affected customers, urging **credential rotation** and forensic reviews. The incident underscores risks from **third-party SaaS integrations** in enterprise environments.
Cloudflare
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Cloudflare was disclosing a lot of private data, including login passwords and authentication cookies. Uber, Fitbit, 1Password, and OKCupid are just a few of the big names affected by the Cloudbleed security flaw in Cloudflare servers. Because mobile apps are created with the same backends as browsers for HTTPS (SSL/TLS) termination and content delivery, they are likewise impacted by Cloudbleed. The fact that Cloudflare directed Ormandy to the company's bug bounty programme and offered the expert a t-shirt as payment in lieu of cash is highly unusual.
Cloudflare
Cyber Attack
Rankiteo Explanation
Attack without any consequences
Description: Internet infrastructure company Cloudflare suffered one of the largest volumetric distributed denials of service (DDoS) attacks. The attack lasted less than 15 seconds and was launched from a botnet of approximately 6,000 unique bots and originated from 112 countries around the world. The company immediately detected and mitigated a 15.3 million request-per-second (rps) DDoS attack. The attack was aimed at a “crypto launchpad” which is “used to surface Decentralized Finance projects to potential investors.”
Minecraft (Microsoft)
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A newly disclosed **Aisuru IoT botnet** attack unleashed a record-breaking **29.6 Tbps DDoS assault**, overwhelming major online gaming platforms, including **Minecraft**, on **October 8, 2025**. The attack, lasting mere seconds, exploited **compromised IoT devices** (home routers, IP cameras, DVRs) hosted under **US ISPs (AT&T, Comcast, Verizon, T-Mobile, Charter)**, flooding servers with malicious traffic far exceeding typical mitigation thresholds. While the primary target was gaming services, the sheer scale caused **widespread internet disruptions**, crippling connectivity for users beyond the gaming community. Cybersecurity journalist **Brian Krebs** highlighted that such attacks now surpass the defensive capabilities of most organizations, posing systemic risks. Though no data breach or ransomware was involved, the **outage disrupted payment processes, user access, and service availability**, inflicting **reputational damage** and **financial losses** from downtime. The incident underscores the escalating threat of **IoT-driven DDoS campaigns** targeting high-traffic digital platforms.
Cloudflare
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In 2024 Cloudflare mitigated a staggering 21.3 million DDoS attacks—a 358% year-over-year jump—and in Q1 2025 alone it already repelled 20.5 million assaults, including 6.6 million aimed directly at its own infrastructure during an 18-day multi-vector campaign. The surge was driven by a 509% increase in network-layer attacks, while hyper-volumetric floods exploded: over 700 events surpassed 1 Tbps or 1 billion packets per second, averaging eight daily in Q1. Emerging threats like CLDAP reflection attacks rose 3,488% quarter-over-quarter and ESP amplification attacks grew 2,301%. Even specialized gaming servers faced hyper-volumetric onslaughts up to 1.5 billion packets per second. Most alarmingly, Cloudflare disclosed it withstood a record-breaking 5.8 Tbps DDoS blast lasting 45 seconds, eclipsing its previous 5.6 Tbps record. Although fully mitigated, these figures underscore unprecedented scale and sophistication that threaten service availability and corporate stability across industries.
Cloudflare
Cyber Attack
Rankiteo Explanation
Attack that could bring to a war
Description: On October 7, 2023, amid a real-world conflict, Israeli websites providing critical information and alerts to civilians on rocket attacks were hit by a series of DDoS attacks. Cloudflare systems detected and mitigated these attacks, which were as intense as 1M requests per second. Pro-Palestinian hacktivist groups also targeted various Israeli websites and apps, including compromising an app alerting civilians about incoming rockets by sending fake alerts. Cloudflare's Threat Operations team discovered malicious mobile applications impersonating legitimate alert apps, which could access sensitive user data. These cyberattacks occurred alongside physical threats, creating a complex situation for Cloudflare and the affected organizations to manage, emphasizing the intersection of physical and cybersecurity domains during times of conflict.
Cloudflare
Cyber Attack
Rankiteo Explanation
Attack threatening the economy of geographical region
Description: La firme de sécurité réseau signale une attaque DDoS d’une vitesse de 7,3 térabits par seconde. Il s’agirait de la plus importante attaque jamais enregistrée sur la plateforme Cloudflare. L’attaque a eu lieu en mai et visait un hébergeur utilisant Magic Transit de Cloudflare pour protéger son réseau IP. Elle a dépassé le précédent record de 5,6 Tbit/s. L’attaque DDoS a transféré quelque 37,4 téraoctets de données en 45 secondes. Ces données provenaient de 122.145 adresses IP disséminées dans 161 pays. Les hébergeurs et les infrastructures internet clés sont souvent la cible d’attaques DDoS. Cloudflare même publie régulièrement des analyses à ce sujet. Elle a notifié que plus de 13,5 millions d’attaques DDoS ont été lancées en janvier et février 2025 contre son infrastructure et ses hébergeurs protégés par Cloudflare. Le précédent pic mesuré par Cloudflare était une attaque DDoS remontant à octobre dernier.
Cloudflare
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Cybersecurity researchers have identified a growing trend among ransomware affiliates and advanced persistent threat actors who are leveraging Cloudflare’s legitimate tunneling service, Cloudflared, to establish covert access channels into compromised networks. This sophisticated technique allows attackers to maintain persistent access while evading traditional network security controls that typically flag suspicious outbound connections. The exploitation of Cloudflared tunnels has emerged as a preferred persistence mechanism due to the service’s inherent design, which encapsulates data in additional protocols that only the tunnel endpoints can decrypt. This creates a secure communication channel that appears as legitimate traffic to security monitoring systems, effectively providing attackers with what amounts to local network access from remote locations.
Cloudflare
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: 'Cloudflare experienced an **internal server error** across its global network, leading to potential disruptions in web traffic, security services, and DNS resolution for numerous websites and online services relying on its infrastructure. While the exact cause was not detailed in the brief report, such errors can stem from misconfigurations, software bugs, or infrastructure overloads, temporarily degrading performance or availability.The outage may have affected businesses dependent on Cloudflare’s CDN, DDoS protection, or firewall services, causing intermittent downtime, slower load times, or failed transactions for end-users. E-commerce platforms, SaaS providers, and media sites could have faced revenue loss, customer frustration, or reputational harm due to unreliable access. Critical services like APIs, authentication systems, or payment gateways might have also been impacted if routed through Cloudflare’s network.Though no data breach or malicious attack was confirmed, the incident highlights vulnerabilities in cloud-based dependencies, where a single provider’s failure can cascade across industries. The lack of transparency about the root cause or duration could further erode user trust, especially if recurring issues persist. Recovery likely involved internal debugging, failover mechanisms, or rolling restarts, but the broader operational and financial repercussions for affected clients remain unquantified.'
Cloudflare (or the website owner using Cloudflare)
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: The incident involves Cloudflare failing to establish an **SSL/TLS connection** to the origin server of a website, likely due to misconfigured cipher suites or incompatible SSL settings. This disruption prevents visitors from securely accessing the site, leading to potential **downtime, loss of trust, and reputational damage** for the affected business. While no direct data breach or cyberattack is confirmed, the outage could result in **financial losses** if the website relies on e-commerce, subscriptions, or ad revenue. Customers may abandon transactions, seek alternatives, or perceive the company as unreliable. Prolonged SSL failures might also trigger **SEO penalties** if search engines interpret the downtime as poor site health. The root cause—whether a **misconfiguration, expired certificate, or unsupported encryption protocols**—highlights a **vulnerability in the security infrastructure**. If exploited, such weaknesses could enable man-in-the-middle attacks or data interception. However, in this case, the immediate impact is **operational disruption** rather than confirmed data compromise.
Cloudflare
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Cloudflare experienced an **internal server error** across its global network, leading to service disruptions for websites, APIs, and online services relying on its infrastructure. The outage likely caused temporary unavailability of critical web applications, e-commerce platforms, and cloud-based services for end-users and businesses. While no data breach or malicious attack was confirmed, the incident disrupted operations for countless dependent entities, potentially resulting in financial losses due to downtime—particularly for high-traffic or transaction-heavy services. The error may have also eroded user trust in Cloudflare’s reliability, though no permanent data loss or security compromise was reported. The root cause appeared to be a technical failure rather than a cyberattack, but the operational impact was widespread, affecting global internet traffic routing and content delivery.
Cloudflare Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Cloudflare
Incidents vs Computer and Network Security Industry Average (This Year)
Cloudflare has 1204.35% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Cloudflare has 837.5% more incidents than the average of all companies with at least one recorded incident.
Incident Types Cloudflare vs Computer and Network Security Industry Avg (This Year)
Cloudflare reported 6 incidents this year: 2 cyber attacks, 1 ransomware, 3 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Cloudflare (X = Date, Y = Severity)
Cloudflare cyber incidents detection timeline including parent company and subsidiaries
Cloudflare Company Subsidiaries
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business. Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.
Loading...
Cloudflare Similar Companies
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
.png)
Cloudflare CyberSecurity News
November 20, 2025 11:00 AM
Cloudflare blames database, Crypto heist takedown
Cloudflare's worst outage since 2019 knocked major websites offline for hours on Tuesday, and the company now says it wasn't a cyberattack...
November 19, 2025 09:10 PM
Lesson from the Cloudflare outage: Don’t jump to conclusions about external threats
COMMENTARY: A widespread Cloudflare service interruption Nov. 18 took down hundreds of websites for a few hours, causing significant...
November 19, 2025 06:22 PM
Cloudflare outage spotlights systemic risks in cloud resilience
Yesterday's Cloudflare outage triggered widespread 5xx errors, exposing systemic risks in cloud resilience and sparking calls for stronger...
November 19, 2025 04:01 PM
What triggered the cloudflare outage that disrupted major websites?
A little-known issue, a 'latent bug,' is being blamed for the massive disruption that impacted major platforms like X, ChatGPT,...
November 19, 2025 03:57 PM
Cloudflare Blames Outage on Internal Configuration Error
Initially though to be a DDoS attack, the incident was actually due to a routine change in permissions that caused widespread software...
November 19, 2025 01:55 PM
Cloudflare outage reveals vulnerability of cybersecurity consolidation
When one major cybersecurity firm goes down, like Cloudflare did this week, it can disrupt large swaths of the internet.
November 19, 2025 10:37 AM
Inside Outages: What Happens When Cloudflare Goes Down?
When Cloudflare's systems – protecting 20% of global websites – crashed, it revealed a worrying trend about global internet infrastructure.
November 19, 2025 08:52 AM
Everything to know about Cloudflare, the service going down that took half the internet with it
Cloudflare experienced an outage on Tuesday, causing hundreds of websites to crash, including the X platform, Spotify, Knava, ChatGPT,...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Cloudflare CyberSecurity History Information
Official Website of Cloudflare
The official website of Cloudflare is https://www.cloudflare.com.
Cloudflare’s AI-Generated Cybersecurity Score
According to Rankiteo, Cloudflare’s AI-generated cybersecurity score is 672, reflecting their Weak security posture.
How many security badges does Cloudflare’ have ?
According to Rankiteo, Cloudflare currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Cloudflare have SOC 2 Type 1 certification ?
According to Rankiteo, Cloudflare is not certified under SOC 2 Type 1.
Does Cloudflare have SOC 2 Type 2 certification ?
According to Rankiteo, Cloudflare does not hold a SOC 2 Type 2 certification.
Does Cloudflare comply with GDPR ?
According to Rankiteo, Cloudflare is not listed as GDPR compliant.
Does Cloudflare have PCI DSS certification ?
According to Rankiteo, Cloudflare does not currently maintain PCI DSS compliance.
Does Cloudflare comply with HIPAA ?
According to Rankiteo, Cloudflare is not compliant with HIPAA regulations.
Does Cloudflare have ISO 27001 certification ?
According to Rankiteo,Cloudflare is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Cloudflare
Cloudflare operates primarily in the Computer and Network Security industry.
Number of Employees at Cloudflare
Cloudflare employs approximately 6,146 people worldwide.
Subsidiaries Owned by Cloudflare
Cloudflare presently has no subsidiaries across any sectors.
Cloudflare’s LinkedIn Followers
Cloudflare’s official LinkedIn profile has approximately 1,097,651 followers.
NAICS Classification of Cloudflare
Cloudflare is classified under the NAICS code 541514, which corresponds to Others.
Cloudflare’s Presence on Crunchbase
No, Cloudflare does not have a profile on Crunchbase.
Cloudflare’s Presence on LinkedIn
Yes, Cloudflare maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/cloudflare.
Cybersecurity Incidents Involving Cloudflare
As of December 01, 2025, Rankiteo reports that Cloudflare has experienced 11 cybersecurity incidents.
Number of Peer and Competitor Companies
Cloudflare has an estimated 2,858 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Cloudflare ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Ransomware, Cyber Attack and Breach.
How does Cloudflare detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with cloudflare (august 23), incident response plan activated with zscaler, incident response plan activated with palo alto networks, incident response plan activated with salesloft, incident response plan activated with google, and third party assistance with mandiant (for salesloft investigation), third party assistance with google threat intelligence, and containment measures with salesloft revoked all drift-to-salesforce connections (pre-notification), containment measures with cloudflare disabled drift user accounts and purged salesloft software, containment measures with google revoked compromised workspace tokens and disabled drift integration, containment measures with salesloft took drift platform offline and paused salesforce integrations, and remediation measures with credential rotation (cloudflare rotated 104 api tokens), remediation measures with customer notifications via email/dashboard banners (cloudflare, palo alto networks), remediation measures with forensic investigations across affected organizations, remediation measures with salesforce instance audits for unauthorized access, and recovery measures with re-establishing secure integrations (timeline unclear), recovery measures with enhanced monitoring of salesforce/salesloft environments, and communication strategy with public blog posts by cloudflare, zscaler, palo alto networks, communication strategy with customer advisories with actionable steps (e.g., disconnect salesloft, rotate credentials), communication strategy with google’s updated threat advisory (august 2024), and enhanced monitoring with likely implemented by affected companies (not detailed), and third party assistance with cloudflare support (implied via troubleshooting link), and remediation measures with review and update ssl configuration on the origin server to ensure cipher suite compatibility with cloudflare, and communication strategy with advisory for visitors to retry access; guidance for website owners to troubleshoot via provided link, and recovery measures with automated or manual recovery (implied by 'try again in a few minutes'), and communication strategy with generic user-facing error message, and recovery measures with users advised to retry after a few minutes (implied automatic recovery), and communication strategy with generic error message displayed to users..
Incident Details
Can you provide details on each incident ?
Title: Cloudflare Suffers Massive DDoS Attack
Description: Internet infrastructure company Cloudflare suffered one of the largest volumetric distributed denials of service (DDoS) attacks.
Type: DDoS Attack
Attack Vector: Distributed Denial of Service (DDoS)
Title: Cloudbleed Security Flaw in Cloudflare Servers
Description: Cloudflare was disclosing a lot of private data, including login passwords and authentication cookies. Uber, Fitbit, 1Password, and OKCupid are just a few of the big names affected by the Cloudbleed security flaw in Cloudflare servers. Because mobile apps are created with the same backends as browsers for HTTPS (SSL/TLS) termination and content delivery, they are likewise impacted by Cloudbleed. The fact that Cloudflare directed Ormandy to the company's bug bounty programme and offered the expert a t-shirt as payment in lieu of cash is highly unusual.
Type: Data Breach
Attack Vector: Cloudbleed Security Flaw
Vulnerability Exploited: Cloudbleed
Title: DDoS and Hacktivist Attacks on Israeli Websites and Apps
Description: On October 7, 2023, Israeli websites providing critical information and alerts to civilians on rocket attacks were hit by a series of DDoS attacks. Cloudflare systems detected and mitigated these attacks, which were as intense as 1M requests per second. Pro-Palestinian hacktivist groups also targeted various Israeli websites and apps, including compromising an app alerting civilians about incoming rockets by sending fake alerts. Cloudflare's Threat Operations team discovered malicious mobile applications impersonating legitimate alert apps, which could access sensitive user data. These cyberattacks occurred alongside physical threats, creating a complex situation for Cloudflare and the affected organizations to manage, emphasizing the intersection of physical and cybersecurity domains during times of conflict.
Date Detected: 2023-10-07
Type: DDoS, Hacktivism, Malware
Attack Vector: DDoSMalicious mobile applications
Threat Actor: Pro-Palestinian hacktivist groups
Motivation: Political, Disruption
Title: Cloudflare DDoS Attacks 2024-2025
Description: In 2024 Cloudflare mitigated a staggering 21.3 million DDoS attacks—a 358% year-over-year jump—and in Q1 2025 alone it already repelled 20.5 million assaults, including 6.6 million aimed directly at its own infrastructure during an 18-day multi-vector campaign. The surge was driven by a 509% increase in network-layer attacks, while hyper-volumetric floods exploded: over 700 events surpassed 1 Tbps or 1 billion packets per second, averaging eight daily in Q1. Emerging threats like CLDAP reflection attacks rose 3,488% quarter-over-quarter and ESP amplification attacks grew 2,301%. Even specialized gaming servers faced hyper-volumetric onslaughts up to 1.5 billion packets per second. Most alarmingly, Cloudflare disclosed it withstood a record-breaking 5.8 Tbps DDoS blast lasting 45 seconds, eclipsing its previous 5.6 Tbps record. Although fully mitigated, these figures underscore unprecedented scale and sophistication that threaten service availability and corporate stability across industries.
Type: DDoS
Attack Vector: network-layer attacksCLDAP reflection attacksESP amplification attacks
Title: Abuse of Cloudflare’s Tunneling Service by Ransomware Groups
Description: Cybersecurity researchers have identified a growing trend among ransomware affiliates and advanced persistent threat actors leveraging Cloudflare’s legitimate tunneling service, Cloudflared, to establish covert access channels into compromised networks. This sophisticated technique allows attackers to maintain persistent access while evading traditional network security controls.
Type: Ransomware
Attack Vector: VPN exploitationRemote desktop protocol attacksCloudflared tunnels
Threat Actor: BlackSuitRoyalAkiraScattered SpiderMedusaHunter International
Motivation: Maintain persistent access and establish command and control channels
Title: Record-Breaking DDoS Attack on Cloudflare Platform
Description: A network security firm reported a DDoS attack with a speed of 7.3 terabits per second, the largest ever recorded on the Cloudflare platform.
Date Detected: May 2023
Type: DDoS Attack
Attack Vector: Distributed Denial of Service (DDoS)
Title: Widespread Data Theft Campaign Targeting Salesforce via Salesloft Drift Integration
Description: A sophisticated supply chain attack targeted hundreds of organizations globally by exploiting the Salesloft Drift integration with Salesforce. Threat actors (tracked as UNC6395 by Mandiant) exfiltrated sensitive customer data, including AWS access keys, Snowflake tokens, and business contact details, between August 8–18, 2024. Affected companies include Cloudflare, Zscaler, Palo Alto Networks, and potentially over 700 others. The attack leveraged stolen credentials and compromised authentication tokens within the Drift AI chatbot platform, which Salesloft acquired in 2023. Salesloft has since taken Drift offline and paused Salesforce integrations as a precautionary measure.
Date Detected: 2024-08-13 (initial warnings by Mandiant)
Date Publicly Disclosed: 2024-08-27 (confirmations by Cloudflare, Zscaler, Palo Alto Networks)
Type: Data Breach
Attack Vector: Compromised Third-Party Integration (Salesloft Drift)Stolen Authentication TokensAPI Abuse
Vulnerability Exploited: Weak Authentication Token Management in DriftOver-Permissive Salesforce Integrations
Threat Actor: UNC6395 (tracked by Mandiant)
Motivation: Credential Harvesting for Further AttacksData Exfiltration for Resale/ExploitationPotential Espionage or Financial Gain
Title: Massive DDoS Attack by Aisuru IoT Botnet Disrupts Major Online Gaming Platforms
Description: A newly disclosed attack campaign linked to the IoT botnet Aisuru led to a massive surge in malicious traffic, temporarily disrupting major online gaming platforms with nearly 29.6 Tbps of DDoS packets. The incident lasted only a few seconds on October 8, 2025, primarily leveraging compromised devices (home routers, IP cameras, and DVRs) hosted under leading US ISPs like AT&T, Comcast, Verizon, T-Mobile, and Charter. The attacks targeted ISPs serving online gaming communities such as Minecraft, resulting in widespread Internet disruption beyond the gaming sector.
Date Detected: 2025-10-08
Type: DDoS Attack
Attack Vector: Compromised IoT DevicesDDoS Amplification
Threat Actor: Aisuru IoT Botnet
Title: Cloudflare SSL Connection Failure to Origin Server
Description: Cloudflare is unable to establish an SSL connection to the origin server. This issue is attributed to an incompatible SSL configuration, potentially due to no shared cipher suites between Cloudflare and the origin server. Visitors are advised to retry accessing the website after a few minutes, while website owners are directed to troubleshoot their SSL configuration for compatibility with Cloudflare.
Type: Service Disruption / Configuration Error
Title: Cloudflare Internal Server Error
Description: There is an internal server error on Cloudflare's network. Users are advised to try again in a few minutes.
Type: Service Disruption / Internal Server Error
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Mobile applications, Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing), Compromised IoT Devices (home routers, IP cameras and DVRs).
Impact of the Incidents
What was the impact of each incident ?
Incident : DDoS Attack CLO33326522
Systems Affected: Crypto Launchpad
Incident : Data Breach CLO619191123
Data Compromised: Login passwords, Authentication cookies
Systems Affected: Cloudflare serversmobile apps
Incident : DDoS, Hacktivism, Malware CLO420051124
Data Compromised: Sensitive user data
Systems Affected: Israeli websitesMobile alert apps
Operational Impact: Fake alerts sent, User trust compromised
Brand Reputation Impact: Potential loss of trust
Identity Theft Risk: High
Incident : DDoS CLO717042825
Operational Impact: threaten service availability and corporate stability across industries
Incident : DDoS Attack CLO900062425
Systems Affected: Hosting provider using Cloudflare's Magic Transit
Incident : Data Breach CLO453090325
Data Compromised: Customer business contact details (names, emails, phone numbers, locations), Salesforce case data (subject lines, body text with potential keys/secrets), Aws access keys, Snowflake access tokens, Zscaler product licensing/commercial information, Support case logs (may include tokens/passwords)
Systems Affected: Salesforce instances (via Salesloft Drift integration)Google Workspace accounts (limited to Drift-integrated emails)Cloudflare API tokens (104 identified, rotated)
Downtime: ['Salesloft Drift platform taken offline', 'Salesforce-Salesloft integrations paused']
Operational Impact: Forensic investigations across hundreds of organizationsCredential rotation campaignsDisruption of customer support workflows (Salesforce case management)Temporary loss of Drift chatbot functionality
Customer Complaints: ['Potential increase due to exposed sensitive data in support cases']
Brand Reputation Impact: High (affects trust in Salesforce ecosystem and third-party integrations)Public disclosures by major tech firms may amplify scrutiny
Legal Liabilities: Potential GDPR/CCPA violations for exposed PIIContractual breaches with customers
Identity Theft Risk: ['Moderate (business contact details exposed)', 'Low for direct financial fraud (no payment data confirmed)']
Payment Information Risk: None reported
Incident : DDoS Attack CLO0692506101325
Systems Affected: Online Gaming Platforms (e.g., Minecraft)ISPs (AT&T, Comcast, Verizon, T-Mobile, Charter)
Downtime: Few seconds (but widespread disruption)
Operational Impact: Temporary disruption of major online gaming platforms and broader Internet services
Incident : Service Disruption / Configuration Error CLO4892148111525
Systems Affected: Origin server SSL configuration
Downtime: Temporary (visitors advised to retry in a few minutes)
Operational Impact: Potential disruption in website accessibility for end-users relying on Cloudflare’s proxy services
Brand Reputation Impact: Minor (if prolonged or recurrent)
Incident : Service Disruption / Internal Server Error CLO1432114111825
Systems Affected: Cloudflare's network infrastructure
Downtime: Temporary (users advised to retry in a few minutes)
Operational Impact: Service interruption for users relying on Cloudflare's network
Brand Reputation Impact: Minor (if prolonged or frequent)
Incident : Service Disruption / Internal Server Error CLO3732737111825
Systems Affected: Cloudflare's network infrastructure
Downtime: Temporary (users advised to retry in a few minutes)
Operational Impact: Service interruption for users relying on Cloudflare's network
Brand Reputation Impact: Minor (short-term service disruption)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Login Passwords, Authentication Cookies, , Sensitive user data, Business Contact Information, Salesforce Case Metadata/Content, Authentication Tokens (Aws, Snowflake, Api Keys), Support Logs (May Include Sensitive Customer-Provided Data) and .
Which entities were affected by each incident ?
Incident : DDoS Attack CLO33326522
Entity Name: Cloudflare
Entity Type: Company
Industry: Internet Infrastructure
Incident : Data Breach CLO619191123
Entity Name: Fitbit
Entity Type: Company
Industry: Health & Fitness
Incident : DDoS, Hacktivism, Malware CLO420051124
Entity Name: Cloudflare
Entity Type: Technology Company
Industry: Cybersecurity
Location: Global
Customers Affected: Israeli civilians
Incident : DDoS Attack CLO900062425
Entity Name: Cloudflare
Entity Type: Network Security Firm
Industry: Technology
Location: Global
Incident : Data Breach CLO453090325
Entity Name: Cloudflare
Entity Type: Internet Infrastructure Company
Industry: Cybersecurity/Cloud Services
Location: San Francisco, CA, USA
Size: ~3,000 employees (2024)
Customers Affected: Limited subset (those with data in Salesforce cases)
Incident : Data Breach CLO453090325
Entity Name: Zscaler
Entity Type: Cybersecurity Firm
Industry: Cloud Security
Location: San Jose, CA, USA
Size: ~5,000 employees (2024)
Customers Affected: Customers with support cases or licensing data exposed
Incident : Data Breach CLO453090325
Entity Name: Palo Alto Networks
Entity Type: Cybersecurity Firm
Industry: Network Security
Location: Santa Clara, CA, USA
Size: ~12,000 employees (2024)
Customers Affected: Limited number with sensitive data in Salesforce
Incident : Data Breach CLO453090325
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: SaaS/CRM
Location: Atlanta, GA, USA
Size: ~1,000 employees (2024)
Customers Affected: Hundreds of organizations using Drift-Salesforce integration
Incident : Data Breach CLO453090325
Entity Name: Google (Workspace)
Entity Type: Tech Giant
Industry: Cloud/Enterprise Software
Location: Mountain View, CA, USA
Size: ~190,000 employees (2024)
Customers Affected: Workspace administrators with Drift-integrated accounts
Incident : Data Breach CLO453090325
Entity Name: Over 700 Unnamed Companies
Entity Type: Varied (B2B organizations)
Industry: Multiple (tech, finance, healthcare, etc.)
Location: Global
Incident : DDoS Attack CLO0692506101325
Entity Name: AT&T
Entity Type: ISP
Industry: Telecommunications
Location: United States
Incident : DDoS Attack CLO0692506101325
Entity Name: Comcast
Entity Type: ISP
Industry: Telecommunications
Location: United States
Incident : DDoS Attack CLO0692506101325
Entity Name: Verizon
Entity Type: ISP
Industry: Telecommunications
Location: United States
Incident : DDoS Attack CLO0692506101325
Entity Name: T-Mobile
Entity Type: ISP
Industry: Telecommunications
Location: United States
Incident : DDoS Attack CLO0692506101325
Entity Name: Charter
Entity Type: ISP
Industry: Telecommunications
Location: United States
Incident : DDoS Attack CLO0692506101325
Entity Name: Minecraft (and other online gaming platforms)
Entity Type: Gaming Platform
Industry: Gaming/Entertainment
Location: Global
Incident : Service Disruption / Configuration Error CLO4892148111525
Entity Name: Unspecified website(s) using Cloudflare
Entity Type: Organization(s)
Customers Affected: Visitors of the affected website(s)
Incident : Service Disruption / Internal Server Error CLO1432114111825
Entity Name: Cloudflare
Entity Type: Company
Industry: Internet Infrastructure / Cybersecurity
Location: Global (HQ: San Francisco, USA)
Size: Large
Customers Affected: Unknown (users experiencing service disruption)
Incident : Service Disruption / Internal Server Error CLO3732737111825
Entity Name: Cloudflare
Entity Type: Company
Industry: Internet Infrastructure / CDN & Security Services
Location: Global
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach CLO453090325
Incident Response Plan Activated: ['Cloudflare (August 23)', 'Zscaler', 'Palo Alto Networks', 'Salesloft', 'Google']
Third Party Assistance: Mandiant (For Salesloft Investigation), Google Threat Intelligence.
Containment Measures: Salesloft revoked all Drift-to-Salesforce connections (pre-notification)Cloudflare disabled Drift user accounts and purged Salesloft softwareGoogle revoked compromised Workspace tokens and disabled Drift integrationSalesloft took Drift platform offline and paused Salesforce integrations
Remediation Measures: Credential rotation (Cloudflare rotated 104 API tokens)Customer notifications via email/dashboard banners (Cloudflare, Palo Alto Networks)Forensic investigations across affected organizationsSalesforce instance audits for unauthorized access
Recovery Measures: Re-establishing secure integrations (timeline unclear)Enhanced monitoring of Salesforce/Salesloft environments
Communication Strategy: Public blog posts by Cloudflare, Zscaler, Palo Alto NetworksCustomer advisories with actionable steps (e.g., disconnect Salesloft, rotate credentials)Google’s updated threat advisory (August 2024)
Enhanced Monitoring: Likely implemented by affected companies (not detailed)
Incident : Service Disruption / Configuration Error CLO4892148111525
Third Party Assistance: Cloudflare Support (Implied Via Troubleshooting Link).
Remediation Measures: Review and update SSL configuration on the origin server to ensure cipher suite compatibility with Cloudflare
Communication Strategy: Advisory for visitors to retry access; guidance for website owners to troubleshoot via provided link
Incident : Service Disruption / Internal Server Error CLO1432114111825
Recovery Measures: Automated or manual recovery (implied by 'try again in a few minutes')
Communication Strategy: Generic user-facing error message
Incident : Service Disruption / Internal Server Error CLO3732737111825
Recovery Measures: Users advised to retry after a few minutes (implied automatic recovery)
Communication Strategy: Generic error message displayed to users
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Cloudflare (August 23), Zscaler, Palo Alto Networks, Salesloft, Google, .
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Mandiant (for Salesloft investigation), Google Threat Intelligence, , Cloudflare Support (implied via troubleshooting link), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach CLO619191123
Type of Data Compromised: Login passwords, Authentication cookies
Incident : DDoS, Hacktivism, Malware CLO420051124
Type of Data Compromised: Sensitive user data
Sensitivity of Data: High
Personally Identifiable Information: Yes
Incident : Data Breach CLO453090325
Type of Data Compromised: Business contact information, Salesforce case metadata/content, Authentication tokens (aws, snowflake, api keys), Support logs (may include sensitive customer-provided data)
Number of Records Exposed: Exact count unknown; hundreds of organizations affected, Cloudflare identified 104 API tokens
Sensitivity of Data: Moderate to High (credentials/secrets in support cases)Low for most business contact details
Data Exfiltration: Confirmed between August 12–17, 2024Systematic export of large data volumes
File Types Exposed: Salesforce case records (text)CSV/JSON exports (likely)Email content (Google Workspace)
Personally Identifiable Information: Business emails, phone numbers, company names (no SSNs/financial data confirmed)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Credential rotation (Cloudflare rotated 104 API tokens), Customer notifications via email/dashboard banners (Cloudflare, Palo Alto Networks), Forensic investigations across affected organizations, Salesforce instance audits for unauthorized access, , Review and update SSL configuration on the origin server to ensure cipher suite compatibility with Cloudflare, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by salesloft revoked all drift-to-salesforce connections (pre-notification), cloudflare disabled drift user accounts and purged salesloft software, google revoked compromised workspace tokens and disabled drift integration, salesloft took drift platform offline and paused salesforce integrations and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Ransomware CLO1006052925
Ransomware Strain: BlackSuitRoyalAkiraScattered SpiderMedusa
Incident : Data Breach CLO453090325
Data Exfiltration: Yes (but not ransomware-related)
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Re-establishing secure integrations (timeline unclear), Enhanced monitoring of Salesforce/Salesloft environments, , Automated or manual recovery (implied by 'try again in a few minutes'), Users advised to retry after a few minutes (implied automatic recovery).
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach CLO453090325
Regulations Violated: Potential GDPR (EU customer data), CCPA (California residents), Industry-specific compliance (e.g., SOC 2),
Regulatory Notifications: Likely ongoing (not publicly detailed)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Lessons Learned: The importance of monitoring and mitigating cyber threats during times of conflict, especially when physical and cybersecurity domains intersect.
Incident : Ransomware CLO1006052925
Lessons Learned: The legitimate nature of Cloudflared traffic makes detection particularly challenging for security teams who must differentiate between authorized administrative use and malicious exploitation.
Incident : Data Breach CLO453090325
Lessons Learned: Third-party SaaS integrations introduce significant supply chain risk, especially when connected to core systems like Salesforce., Authentication tokens in chatbot/automation platforms (e.g., Drift) require stricter access controls and rotation policies., Over-permissive API integrations can enable large-scale data exfiltration with minimal detection., Proactive disconnection of integrations (as done by Salesloft) can limit blast radius, but transparency is critical to maintain trust., Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.
What recommendations were made to prevent future incidents ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Recommendations: Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations, and increase public awareness about the risks of malicious mobile applications.
Incident : Data Breach CLO453090325
Recommendations: Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Monitor for unusual data export patterns in Salesforce (e.g., bulk API calls)., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems.
Incident : Service Disruption / Configuration Error CLO4892148111525
Recommendations: Website owners should ensure their origin server’s SSL/TLS configuration aligns with Cloudflare’s supported cipher suites and protocols., Regularly test SSL/TLS compatibility with third-party services like Cloudflare to preempt connectivity issues., Monitor Cloudflare’s documentation for updates on supported cipher suites and configurations.Website owners should ensure their origin server’s SSL/TLS configuration aligns with Cloudflare’s supported cipher suites and protocols., Regularly test SSL/TLS compatibility with third-party services like Cloudflare to preempt connectivity issues., Monitor Cloudflare’s documentation for updates on supported cipher suites and configurations.Website owners should ensure their origin server’s SSL/TLS configuration aligns with Cloudflare’s supported cipher suites and protocols., Regularly test SSL/TLS compatibility with third-party services like Cloudflare to preempt connectivity issues., Monitor Cloudflare’s documentation for updates on supported cipher suites and configurations.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The importance of monitoring and mitigating cyber threats during times of conflict, especially when physical and cybersecurity domains intersect.The legitimate nature of Cloudflared traffic makes detection particularly challenging for security teams who must differentiate between authorized administrative use and malicious exploitation.Third-party SaaS integrations introduce significant supply chain risk, especially when connected to core systems like Salesforce.,Authentication tokens in chatbot/automation platforms (e.g., Drift) require stricter access controls and rotation policies.,Over-permissive API integrations can enable large-scale data exfiltration with minimal detection.,Proactive disconnection of integrations (as done by Salesloft) can limit blast radius, but transparency is critical to maintain trust.,Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations and and increase public awareness about the risks of malicious mobile applications..
References
Where can I find more information about each incident ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Source: Cloudflare
Incident : Ransomware CLO1006052925
Source: Sudo Rem
Incident : DDoS Attack CLO900062425
Source: Dutch IT Channel
Incident : Data Breach CLO453090325
Source: CyberScoop
URL: https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/
Date Accessed: 2024-08-28
Incident : Data Breach CLO453090325
Source: Cloudflare Blog (Postmortem)
URL: https://blog.cloudflare.com/salesloft-drift-incident-august-2024
Date Accessed: 2024-08-27
Incident : Data Breach CLO453090325
Source: Zscaler Advisory
URL: https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-update
Date Accessed: 2024-08-26
Incident : Data Breach CLO453090325
Source: Palo Alto Networks Statement
URL: https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/
Date Accessed: 2024-08-27
Incident : Data Breach CLO453090325
Source: Google Threat Intelligence Advisory
Date Accessed: 2024-08-25
Incident : Data Breach CLO453090325
Source: Mandiant (UNC6395 Tracking)
URL: https://www.mandiant.com/resources/insights/unc6395-salesforce-campaign
Date Accessed: 2024-08-20
Incident : DDoS Attack CLO0692506101325
Source: Krebs on Security (Brian Krebs)
Incident : Service Disruption / Configuration Error CLO4892148111525
Source: Cloudflare Support - SSL Troubleshooting
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cloudflare, and Source: Sudo Rem, and Source: Dutch IT Channel, and Source: CyberScoopUrl: https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/Date Accessed: 2024-08-28, and Source: Cloudflare Blog (Postmortem)Url: https://blog.cloudflare.com/salesloft-drift-incident-august-2024Date Accessed: 2024-08-27, and Source: Zscaler AdvisoryUrl: https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-updateDate Accessed: 2024-08-26, and Source: Palo Alto Networks StatementUrl: https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/Date Accessed: 2024-08-27, and Source: Google Threat Intelligence AdvisoryUrl: https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaignDate Accessed: 2024-08-25, and Source: Mandiant (UNC6395 Tracking)Url: https://www.mandiant.com/resources/insights/unc6395-salesforce-campaignDate Accessed: 2024-08-20, and Source: Krebs on Security (Brian Krebs), and Source: Cloudflare Support - SSL TroubleshootingUrl: https://developers.cloudflare.com/ssl/troubleshooting.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Investigation Status: Ongoing
Incident : Data Breach CLO453090325
Investigation Status: Ongoing (as of August 28, 2024)
Incident : Service Disruption / Configuration Error CLO4892148111525
Investigation Status: Ongoing (implied by troubleshooting guidance)
Incident : Service Disruption / Internal Server Error CLO1432114111825
Investigation Status: Unclear (no details provided)
Incident : Service Disruption / Internal Server Error CLO3732737111825
Investigation Status: Unclear (no details provided)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Blog Posts By Cloudflare, Zscaler, Palo Alto Networks, Customer Advisories With Actionable Steps (E.G., Disconnect Salesloft, Rotate Credentials), Google’S Updated Threat Advisory (August 2024), Advisory For Visitors To Retry Access; Guidance For Website Owners To Troubleshoot Via Provided Link, Generic user-facing error message and Generic error message displayed to users.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach CLO453090325
Stakeholder Advisories: Disconnect Salesloft Drift Integration Immediately., Treat All Drift-Stored Authentication Tokens As Compromised., Audit Salesforce For Unauthorized Data Exports (August 8–18, 2024)., Rotate All Credentials/Secrets Shared Via Salesforce Cases Or Drift Chats., Monitor For Follow-On Attacks Leveraging Stolen Aws/Snowflake Tokens..
Customer Advisories: Cloudflare: Notified affected customers via email/dashboard banners; urged credential rotation.Palo Alto Networks: Contacting customers with potentially exposed sensitive data.Zscaler: Published guidance for customers to review exposed support cases.Salesloft: Advises all customers to disconnect Drift-Salesforce integration.
Incident : Service Disruption / Configuration Error CLO4892148111525
Stakeholder Advisories: Visitors: Retry Access After A Few Minutes. Website Owners: Review Ssl Configuration For Compatibility..
Customer Advisories: Visitors of affected websites are advised to retry accessing the site after a short wait. Website owners are directed to Cloudflare’s troubleshooting resources for resolving SSL incompatibility.
Incident : Service Disruption / Internal Server Error CLO1432114111825
Customer Advisories: Generic error message: 'Please try again in a few minutes.'
Incident : Service Disruption / Internal Server Error CLO3732737111825
Customer Advisories: Users were shown a generic error message: 'Please try again in a few minutes.'
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Disconnect Salesloft Drift Integration Immediately., Treat All Drift-Stored Authentication Tokens As Compromised., Audit Salesforce For Unauthorized Data Exports (August 8–18, 2024)., Rotate All Credentials/Secrets Shared Via Salesforce Cases Or Drift Chats., Monitor For Follow-On Attacks Leveraging Stolen Aws/Snowflake Tokens., Cloudflare: Notified Affected Customers Via Email/Dashboard Banners; Urged Credential Rotation., Palo Alto Networks: Contacting Customers With Potentially Exposed Sensitive Data., Zscaler: Published Guidance For Customers To Review Exposed Support Cases., Salesloft: Advises All Customers To Disconnect Drift-Salesforce Integration., , Visitors: Retry Access After A Few Minutes. Website Owners: Review Ssl Configuration For Compatibility., Visitors of affected websites are advised to retry accessing the site after a short wait. Website owners are directed to Cloudflare’s troubleshooting resources for resolving SSL incompatibility., Generic error message: 'Please try again in a few minutes.' and Users were shown a generic error message: 'Please try again in a few minutes.'.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Entry Point: Mobile applications
High Value Targets: Critical alert systems
Data Sold on Dark Web: Critical alert systems
Incident : Data Breach CLO453090325
Entry Point: Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing)
Reconnaissance Period: ['August 9, 2024 (Google observed email access)', 'Likely earlier for initial Drift compromise']
High Value Targets: Aws Access Keys, Snowflake Tokens, Salesforce Case Data With Secrets,
Data Sold on Dark Web: Aws Access Keys, Snowflake Tokens, Salesforce Case Data With Secrets,
Incident : DDoS Attack CLO0692506101325
Entry Point: Compromised Iot Devices (Home Routers, Ip Cameras, Dvrs),
High Value Targets: Isps Serving Online Gaming Communities,
Data Sold on Dark Web: Isps Serving Online Gaming Communities,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : DDoS, Hacktivism, Malware CLO420051124
Root Causes: DDoS attacks and malicious mobile applications
Corrective Actions: Enhanced monitoring and mitigation strategies
Incident : Data Breach CLO453090325
Root Causes: Insufficient Access Controls For Drift-Salesforce Integration Tokens., Lack Of Network Segmentation Between Drift And Salesforce Data Stores., Over-Reliance On Static Api Tokens Without Rotation Policies., Delayed Detection Of Bulk Data Exfiltration (August 8–18 Activity Detected Later)., Acquisition-Related Security Gaps (Drift’S Integration Post-Salesloft Acquisition).,
Corrective Actions: Salesloft: Offlined Drift, Revoked All Integration Tokens, Mandatory Customer Disconnections., Cloudflare: Purged Salesloft Software, Rotated All Exposed Api Tokens, Enhanced Salesforce Logging., Google: Disabled Drift-Workspace Integration, Revoked Compromised Tokens., Industry-Wide: Reevaluation Of Third-Party Chatbot/Automation Tool Security Postures.,
Incident : DDoS Attack CLO0692506101325
Root Causes: Exploitation Of Vulnerable Iot Devices For Botnet Recruitment, Insufficient Ddos Mitigation Capabilities In Targeted Isps,
Incident : Service Disruption / Configuration Error CLO4892148111525
Root Causes: Incompatible Ssl/Tls Configuration Between Origin Server And Cloudflare (E.G., No Shared Cipher Suites),
Corrective Actions: Update Origin Server’S Ssl/Tls Settings To Match Cloudflare’S Requirements.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Mandiant (For Salesloft Investigation), Google Threat Intelligence, , Likely Implemented By Affected Companies (Not Detailed), , Cloudflare Support (Implied Via Troubleshooting Link), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, Revoked All Integration Tokens, Mandatory Customer Disconnections., Cloudflare: Purged Salesloft Software, Rotated All Exposed Api Tokens, Enhanced Salesforce Logging., Google: Disabled Drift-Workspace Integration, Revoked Compromised Tokens., Industry-Wide: Reevaluation Of Third-Party Chatbot/Automation Tool Security Postures., , Update Origin Server’S Ssl/Tls Settings To Match Cloudflare’S Requirements., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Pro-Palestinian hacktivist groups, BlackSuitRoyalAkiraScattered SpiderMedusaHunter International, UNC6395 (tracked by Mandiant) and Aisuru IoT Botnet.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-10-07.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-08-27 (confirmations by Cloudflare, Zscaler, Palo Alto Networks).
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were login passwords, authentication cookies, , Sensitive user data, Customer business contact details (names, emails, phone numbers, locations), Salesforce case data (subject lines, body text with potential keys/secrets), AWS access keys, Snowflake access tokens, Zscaler product licensing/commercial information, Support case logs (may include tokens/passwords) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Crypto Launchpad and Cloudflare serversmobile apps and Israeli websitesMobile alert apps and Hosting provider using Cloudflare's Magic Transit and Salesforce instances (via Salesloft Drift integration)Google Workspace accounts (limited to Drift-integrated emails)Cloudflare API tokens (104 identified, rotated) and Online Gaming Platforms (e.g., Minecraft)ISPs (AT&T, Comcast, Verizon, T-Mobile, Charter) and Origin server SSL configuration and Cloudflare's network infrastructure and Cloudflare's network infrastructure.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was mandiant (for salesloft investigation), google threat intelligence, , cloudflare support (implied via troubleshooting link), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Salesloft revoked all Drift-to-Salesforce connections (pre-notification)Cloudflare disabled Drift user accounts and purged Salesloft softwareGoogle revoked compromised Workspace tokens and disabled Drift integrationSalesloft took Drift platform offline and paused Salesforce integrations.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Salesforce case data (subject lines, body text with potential keys/secrets), authentication cookies, login passwords, Customer business contact details (names, emails, phone numbers, locations), Sensitive user data, Snowflake access tokens, Zscaler product licensing/commercial information, Support case logs (may include tokens/passwords) and AWS access keys.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 104.0.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Credential hygiene (e.g., rotating tokens in support systems) is often overlooked but critical for limiting post-breach impact.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement automated token rotation for all API keys/secrets stored in SaaS platforms., Website owners should ensure their origin server’s SSL/TLS configuration aligns with Cloudflare’s supported cipher suites and protocols., Require multi-factor authentication (MFA) for all Salesforce integrations, including third-party tools., Evaluate the necessity of storing sensitive data (e.g., AWS keys) in customer support systems., Conduct tabletop exercises for supply chain attack scenarios involving CRM/ERP systems., Regularly test SSL/TLS compatibility with third-party services like Cloudflare to preempt connectivity issues., Monitor Cloudflare’s documentation for updates on supported cipher suites and configurations., Audit all third-party integrations with Salesforce/CRM systems for least-privilege access., Enhance monitoring and mitigation strategies, improve communication and coordination with affected organizations, and increase public awareness about the risks of malicious mobile applications., Isolate high-risk integrations (e.g., AI chatbots) in segmented network zones with enhanced logging., Monitor for unusual data export patterns in Salesforce (e.g. and bulk API calls)..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Google Threat Intelligence Advisory, Sudo Rem, Cloudflare Blog (Postmortem), Cloudflare Support - SSL Troubleshooting, Cloudflare, CyberScoop, Krebs on Security (Brian Krebs), Dutch IT Channel, Mandiant (UNC6395 Tracking), Palo Alto Networks Statement and Zscaler Advisory.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cyberscoop.com/salesforce-salesloft-drift-hack-cloudflare-zscaler-palo-alto/, https://blog.cloudflare.com/salesloft-drift-incident-august-2024, https://www.zscaler.com/blogs/security-advisories/salesloft-drift-incident-update, https://www.paloaltonetworks.com/blog/2024/08/salesloft-drift-incident-response/, https://cloud.google.com/blog/products/identity-security/google-threat-intelligence-salesloft-drift-campaign, https://www.mandiant.com/resources/insights/unc6395-salesforce-campaign, https://developers.cloudflare.com/ssl/troubleshooting .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Disconnect Salesloft Drift integration immediately., Treat all Drift-stored authentication tokens as compromised., Audit Salesforce for unauthorized data exports (August 8–18, 2024)., Rotate all credentials/secrets shared via Salesforce cases or Drift chats., Monitor for follow-on attacks leveraging stolen AWS/Snowflake tokens., Visitors: Retry access after a few minutes. Website owners: Review SSL configuration for compatibility., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Cloudflare: Notified affected customers via email/dashboard banners; urged credential rotation.Palo Alto Networks: Contacting customers with potentially exposed sensitive data.Zscaler: Published guidance for customers to review exposed support cases.Salesloft: Advises all customers to disconnect Drift-Salesforce integration., Visitors of affected websites are advised to retry accessing the site after a short wait. Website owners are directed to Cloudflare’s troubleshooting resources for resolving SSL incompatibility., Generic error message: 'Please try again in a few minutes.' and Users were shown a generic error message: 'Please try again in a few minutes.'.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Compromised Salesloft Drift authentication tokens (likely via phishing or credential stuffing) and Mobile applications.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was August 9, 2024 (Google observed email access)Likely earlier for initial Drift compromise.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was DDoS attacks and malicious mobile applications, Insufficient access controls for Drift-Salesforce integration tokens.Lack of network segmentation between Drift and Salesforce data stores.Over-reliance on static API tokens without rotation policies.Delayed detection of bulk data exfiltration (August 8–18 activity detected later).Acquisition-related security gaps (Drift’s integration post-Salesloft acquisition)., Exploitation of vulnerable IoT devices for botnet recruitmentInsufficient DDoS mitigation capabilities in targeted ISPs, Incompatible SSL/TLS configuration between origin server and Cloudflare (e.g., no shared cipher suites).
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Enhanced monitoring and mitigation strategies, Salesloft: Offlined Drift, revoked all integration tokens, mandatory customer disconnections.Cloudflare: Purged Salesloft software, rotated all exposed API tokens, enhanced Salesforce logging.Google: Disabled Drift-Workspace integration, revoked compromised tokens.Industry-wide: Reevaluation of third-party chatbot/automation tool security postures., Update origin server’s SSL/TLS settings to match Cloudflare’s requirements..
.png)
Latest Global CVEs (Not Company-Specific)
Description
A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the component Edit Student Info Page. This manipulation of the argument First Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 3.3
Severity: LOW
AV:N/AC:L/Au:M/C:N/I:P/A:N
cvss3
Base: 2.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
cvss4
Base: 4.8
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025).
Risk Information
cvss3
Base: 9.1
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Description
A weakness has been identified in winston-dsouza Ecommerce-Website up to 87734c043269baac0b4cfe9664784462138b1b2e. Affected by this issue is some unknown functionality of the file /includes/header_menu.php of the component GET Parameter Handler. Executing manipulation of the argument Error can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 5.0
Severity: LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security flaw has been discovered in Qualitor 8.20/8.24. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 6.5
Severity: LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
cvss3
Base: 6.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=cloudflare' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
