Palo Alto Networks has confirmed that it was affected by a provide chain assault, ensuing within the theft of buyer knowledge from its Salesforce situations.
The breach originated from a compromised third-party software, Salesloft’s Drift, and didn’t have an effect on any of Palo Alto Networks’ personal services or products, which the corporate says stay safe.
The cybersecurity agency introduced that as quickly because it grew to become conscious of the incident, it disconnected the seller from its Salesforce setting and launched a full investigation led by its Unit 42 safety crew.
The uncovered knowledge primarily consists of enterprise contact info, inner gross sales account particulars, and fundamental buyer case knowledge. Palo Alto Networks acknowledged it’s within the strategy of contacting a “restricted variety of clients” whose doubtlessly extra delicate knowledge might have been uncovered, Palo Alto Networks stated.
The widespread knowledge theft marketing campaign happened between August 8 and August 18, 2025. A menace actor, which Google’s Menace Intelligence Group tracks as UNC6395, leveraged compromised OAuth authentication tokens related to the Salesloft Drift integration to realize unauthorized entry and exfiltrate giant volumes of knowledge from company Salesforce environments.
The provision chain assault originating from the compromised Salesloft Drift software has impacted different main know-how firms, together with cybersecurity agency Zscaler and Google.
In accordance with a menace temporary from Unit 42, the attackers carried out mass exfiltration from Salesforce objects, together with Account, Contact, Case, and Alternative data.
The first motive seems to be credential harvesting; after stealing the info, the hackers actively scanned it for secrets and techniques like passwords and entry keys for different cloud companies, corresponding to Amazon Net Providers (AWS) and Snowflake, to facilitate additional assaults.
Investigators famous that the actor used automated Python instruments for the info theft and tried to cowl their tracks by deleting question logs.
The incident has triggered a large business response. On August 20, Salesloft started notifying affected clients and, in collaboration with Salesforce, revoked all energetic entry tokens for the Drift software to sever the connection.
Salesforce additionally briefly eliminated the Drift app from its AppExchange market. Subsequent evaluation from Google revealed the breach’s scope was broader than initially believed, doubtlessly compromising all authentication tokens linked to the Drift platform, not simply these built-in with Salesforce.
Palo Alto Networks’ Unit 42 has urged all organizations utilizing the Salesloft Drift integration to behave with urgency. Suggestions embody conducting an intensive assessment of Salesforce logs for suspicious exercise, notably for a consumer agent string related to the attacker’s instruments (Python/3.11 aiohttp/3.12.15), and instantly rotating any credentials or secrets and techniques that will have been saved within the compromised knowledge.
The safety crew additionally warned affected organizations to be vigilant in opposition to follow-up social engineering makes an attempt and to strengthen safety with Zero Belief rules.
Salesloft Drift Provide Chain Assault
In August 2025, a widespread knowledge theft marketing campaign abused compromised OAuth tokens related to Salesloft’s Drift software, a well-liked AI-powered chatbot and buyer engagement device. A menace actor, tracked by Google as UNC6395, leveraged these tokens to realize unauthorized entry to the Salesforce environments of a whole lot of organizations between August 8 and August 18.
The first motive was credential harvesting. Attackers carried out mass exfiltration of knowledge from Salesforce objects—together with buyer accounts, contacts, and gross sales alternatives—after which scanned the stolen info for invaluable secrets and techniques like AWS entry keys, passwords, and Snowflake tokens to facilitate deeper community intrusions.
Confirmed victims of this provide chain assault embody:
Palo Alto Networks: The cybersecurity agency confirmed the publicity of enterprise contact info and inner gross sales knowledge from its CRM platform.
Zscaler: The cloud safety firm reported that buyer info, together with names, contact particulars, and a few assist case content material, was accessed.
Google: Along with being an investigator, Google confirmed a “very small quantity” of its Workspace accounts had been accessed by way of the compromised tokens.
In response, Salesloft and Salesforce collaborated to revoke all energetic Drift integration tokens and briefly eliminated the app from the Salesforce AppExchange to include the menace.
“ShinyHunters” Salesforce Social Engineering Marketing campaign
Working parallel to the Salesloft incident is a broader, ongoing marketing campaign attributed to a bunch often called “ShinyHunters” (or UNC6040). Since mid-2025, this group has efficiently breached quite a few main firms through the use of refined voice phishing, or “vishing,” ways.
In these assaults, menace actors impersonate IT assist workers in telephone calls to trick workers into granting them entry to the corporate’s Salesforce occasion, typically by having the worker authorize a malicious Salesforce “Related App”.
This social engineering marketing campaign has claimed an extended listing of victims, together with :
Google: In June 2025, the group accessed a Salesforce system containing potential Google Adverts buyer info.
Main Manufacturers: Luxurious and retail giants like LVMH (Louis Vuitton, Dior), Chanel, and Adidas had been focused.
Monetary and Insurance coverage: Firms together with Allianz Life, Farmers Insurance coverage, and, most lately, TransUnion have reported breaches linked to this marketing campaign, with the TransUnion incident affecting 4.4 million U.S. customers
Discover this Story Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
