Palo Alto Networks has confirmed a data breach that exposed customer information and support tickets after cyber attackers gained unauthorized access to its Salesforce system. The breach happened as part of a wider supply chain attack involving compromised OAuth tokens stolen from the Salesloft Drift breach.
The cybersecurity giant clarified that while the incident did affect its Salesforce CRM, no internal systems, security products, or services were impacted. However, the exposure of sensitive customer information, including details from IT support tickets, has raised concerns across the industry.
According to Palo Alto Networks, the breach was part of a large-scale campaign tracked by Google’s Threat Intelligence team under the codename UNC6395. Threat actors used stolen OAuth tokens from the Salesloft Drift incident to connect to Salesforce environments of multiple companies, including Palo Alto Networks.
Once inside Salesforce, the attackers targeted support cases that often contained sensitive data such as authentication tokens, cloud secrets, and even passwords. This information could allow hackers to move deeper into corporate networks or attack other connected cloud services.
The attackers mainly exfiltrated records from Salesforce objects such as:
Account records
Contact information
Case data
Opportunity records
Palo Alto Networks noted that the threat actors specifically searched for keywords like “password,” “secret,” “AWS access keys (AKIA),” “Snowflake tokens,” and “VPN/SSO login strings.” These credentials, if exposed, could be used to breach additional cloud platforms, enabling extortion or secondary attacks.
The hackers used automated tools to steal Salesforce data. Evidence showed they relied on custom Python-based scripts, identified through user-agent strings like:
python-requests/2.32.4Python/3.11 aiohttp/3.12.15Salesforce-Multi-Org-Fetcher/1.0Salesforce-CLI/1.0
To avoid detection, they also deleted logs, erased queries, and used Tor networks to hide their origin. This anti-forensics approach made it more difficult for investigators to track their actions.
Despite these efforts, Palo Alto Networks was able to contain the breach. The company quickly revoked the compromised tokens, rotated all affected credentials, and disabled the Drift application from its Salesforce environment.
In an advisory, Palo Alto Networks emphasized that the breach was contained quickly and limited to Salesforce CRM data. The company stated:
“The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers.”
The company also recommended urgent actions for all Salesloft Drift customers, including:
Review Salesforce, identity provider, and network logs for suspicious activity.
Revoke and rotate all keys and credentials that may have been exposed.
Audit all Drift integrations to identify unusual connections.
Use tools like Trufflehog and Gitleaks to scan code repositories for leaked secrets.
If exfiltration is confirmed, perform a detailed review of compromised data for exposed credentials.
Both Salesforce and Google, along with Palo Alto Networks, have now disabled Drift integrations until the investigation into how OAuth tokens were stolen is completed.
This incident is not isolated. The Salesloft breach has affected hundreds of organizations, including well-known companies such as Zscaler, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.).
Cybercriminals linked to the ShinyHunters extortion group have been actively targeting Salesforce platforms throughout the year. In past campaigns, they used voice phishing (vishing) attacks to trick employees into approving malicious OAuth apps. Once approved, attackers gained long-term access to Salesforce data, which they later used for extortion.
However, in the Salesloft attack, the process was faster and more automated since attackers already had valid OAuth tokens. This gave them direct access to Salesforce instances without needing to trick employees first.
While some security researchers believe the Salesloft Drift campaign could be connected to ShinyHunters, Google’s Threat Intelligence team has not found concrete proof.
Austin Larsen, Principal Threat Analyst at Google, said:
“We’ve not seen any compelling evidence connecting them at this time.”
This suggests that while the techniques and targets are similar, different threat actors may be behind the current campaign.
Organizations using Salesforce or Drift integrations should treat this supply chain breach with serious urgency. The exposure of sensitive IT support tickets, login credentials, and account data can have a cascading effect if attackers use stolen credentials to compromise additional platforms.
Key steps for customers include:
Rotating all cloud service credentials, especially AWS keys, Snowflake tokens, and VPN credentials.
Running credential scanning tools across repositories to identify embedded secrets.
Monitoring for suspicious logins and exfiltration activity.
Educating employees about OAuth security risks and phishing attempts.
The Palo Alto Networks data breach highlights the growing risk of supply chain attacks on SaaS platforms. By targeting widely used third-party integrations like Salesloft Drift, attackers can compromise multiple high-profile companies in one campaign.
Although Palo Alto Networks contained the incident and assured that its products and services remain unaffected, the exposure of sensitive support ticket data remains a serious concern. With Salesforce increasingly becoming a target for cybercriminals, companies must adopt stricter monitoring, credential hygiene, and integration audits to reduce their exposure to similar attacks.
Interesting Article : CVE-2025-49870, WordPress Paid Membership Plugin Users at Risk from SQL Injection
Pingback: CISA Flags TP-Link Router Flaws CVE-2023-50224 & CVE-2025-9377