In August 2025, Palo Alto Networks, a leading cybersecurity firm, experienced a significant data breach resulting from a supply chain attack. This incident led to unauthorized access to the company’s Salesforce instances, exposing sensitive customer information.
Incident Overview
Between August 8 and August 18, 2025, threat actors exploited compromised OAuth authentication tokens associated with Salesloft’s Drift application—a third-party AI-powered chatbot and customer engagement tool integrated into Salesforce. This exploitation allowed unauthorized access to the Salesforce environments of numerous organizations, including Palo Alto Networks. The attackers, identified by Google’s Threat Intelligence Group as UNC6395, conducted mass data exfiltration during this period.
Scope of the Breach
The compromised data primarily includes business contact details, internal sales account information, and basic customer case data. Palo Alto Networks has initiated direct communication with a limited number of customers whose data may have been more sensitive. Importantly, the breach was confined to the Salesforce CRM system and did not affect the company’s products, systems, or services.
Attack Methodology
The attackers leveraged the compromised OAuth tokens to access and extract large volumes of data from Salesforce objects, such as Account, Contact, Case, and Opportunity records. Their primary objective appeared to be credential harvesting; they actively scanned the exfiltrated data for sensitive information like passwords and access keys for other cloud services, including Amazon Web Services (AWS) and Snowflake, to facilitate further attacks. Automated Python tools were employed for data theft, and efforts were made to conceal their activities by deleting query logs.
Industry-Wide Impact
This supply chain attack has had a broad impact, affecting several major technology companies, including Zscaler and Google. The widespread nature of the breach underscores the vulnerabilities inherent in third-party integrations and the potential risks they pose to organizational security.
Response and Mitigation Efforts
Upon discovering the breach, Palo Alto Networks promptly disconnected the compromised vendor from its Salesforce environment and launched a comprehensive investigation led by its Unit 42 security team. Salesloft, in collaboration with Salesforce, revoked all active access tokens for the Drift application to sever unauthorized connections. Salesforce also temporarily removed the Drift app from its AppExchange marketplace to prevent further exploitation.
Recommendations for Affected Organizations
Palo Alto Networks’ Unit 42 has issued several recommendations for organizations using the Salesloft Drift integration:
1. Review Logs: Conduct a thorough examination of Salesforce logs for any suspicious activity, particularly looking for user agent strings associated with the attacker’s tools, such as `Python/3.11 aiohttp/3.12.15`.
2. Credential Rotation: Immediately rotate any credentials or secrets that may have been stored in the compromised data to prevent further unauthorized access.
3. Vigilance Against Social Engineering: Be alert to potential follow-up social engineering attempts that may arise as a result of the breach.
4. Implement Zero Trust Principles: Strengthen security measures by adopting Zero Trust principles, which involve verifying every request as though it originates from an open network.
Conclusion
The Palo Alto Networks data breach serves as a stark reminder of the critical importance of securing third-party integrations and the potential risks they pose. Organizations are urged to take immediate action to review their security postures, especially concerning third-party applications, to mitigate the risk of similar incidents.
