Palo Alto Networks Confirms Data Breach: Hackers Stole Customer Data from Salesforce Instances

Palo Alto Networks has confirmed it is one of hundreds of organizations impacted by a significant supply chain attack that resulted in the theft of customer data from its Salesforce instances.

The breach originated from a compromised third-party application, Salesloft’s Drift, and did not affect any of Palo Alto Networks’ own products or services, which the company says remain secure.

The cybersecurity firm announced that as soon as it became aware of the incident, it disconnected the vendor from its Salesforce environment and launched a full investigation led by its Unit 42 security team.

The exposed data primarily consists of business contact information, internal sales account details, and basic customer case data. Palo Alto Networks stated it is in the process of contacting a “limited number of customers” whose potentially more sensitive data may have been exposed, Palo Alto Networks said.

The widespread data theft campaign took place between August 8 and August 18, 2025. A threat actor, which Google’s Threat Intelligence Group tracks as UNC6395, leveraged compromised OAuth authentication tokens associated with the Salesloft Drift integration to gain unauthorized access and exfiltrate large volumes of data from corporate Salesforce environments.

The supply chain attack originating from the compromised Salesloft Drift application has impacted other major technology companies, including cybersecurity firm Zscaler and Google.

According to a threat brief from Unit 42, the attackers performed mass exfiltration from Salesforce objects, including Account, Contact, Case, and Opportunity records.

The primary motive appears to be credential harvesting; after stealing the data, the hackers actively scanned it for secrets like passwords and access keys for other cloud services, such as Amazon Web Services (AWS) and Snowflake, to facilitate further attacks.

Investigators noted that the actor used automated Python tools for the data theft and attempted to cover their tracks by deleting query logs.

The incident has triggered a wide industry response. On August 20, Salesloft began notifying affected customers and, in collaboration with Salesforce, revoked all active access tokens for the Drift application to sever the connection.

Salesforce also temporarily removed the Drift app from its AppExchange marketplace. Subsequent analysis from Google revealed the breach’s scope was broader than initially believed, potentially compromising all authentication tokens connected to the Drift platform, not just those integrated with Salesforce.

Palo Alto Networks’ Unit 42 has urged all organizations using the Salesloft Drift integration to act with urgency. Recommendations include conducting a thorough review of Salesforce logs for suspicious activity, particularly for a user agent string associated with the attacker’s tools (Python/3.11 aiohttp/3.12.15), and immediately rotating any credentials or secrets that may have been stored in the compromised data.

The security team also warned affected organizations to be vigilant against follow-up social engineering attempts and to reinforce security with Zero Trust principles.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.