Palo Alto Networks Confirms Data Breach – Hackers Stole Customer Data from Salesforce Instances

Palo Alto Networks has confirmed that it was affected by a supply chain attack, resulting in the theft of customer data from its Salesforce instances.

The breach originated from a compromised third-party application, Salesloft’s Drift, and did not affect any of Palo Alto Networks’ own products or services, which the company says remain secure.

The cybersecurity firm announced that as soon as it became aware of the incident, it disconnected the vendor from its Salesforce environment and launched a full investigation led by its Unit 42 security team.

The exposed data primarily consists of business contact information, internal sales account details, and basic customer case data. Palo Alto Networks stated it is in the process of contacting a “limited number of customers” whose potentially more sensitive data may have been exposed, Palo Alto Networks said.

The widespread data theft campaign took place between August 8 and August 18, 2025. A threat actor, which Google’s Threat Intelligence Group tracks as UNC6395, leveraged compromised OAuth authentication tokens associated with the Salesloft Drift integration to gain unauthorized access and exfiltrate large volumes of data from corporate Salesforce environments.

The supply chain attack originating from the compromised Salesloft Drift application has impacted other major technology companies, including cybersecurity firm Zscaler and Google.

According to a threat brief from Unit 42, the attackers performed mass exfiltration from Salesforce objects, including Account, Contact, Case, and Opportunity records.

The primary motive appears to be credential harvesting; after stealing the data, the hackers actively scanned it for secrets like passwords and access keys for other cloud services, such as Amazon Web Services (AWS) and Snowflake, to facilitate further attacks.

Investigators noted that the actor used automated Python tools for the data theft and attempted to cover their tracks by deleting query logs.

The incident has triggered a wide industry response. On August 20, Salesloft began notifying affected customers and, in collaboration with Salesforce, revoked all active access tokens for the Drift application to sever the connection.

Salesforce also temporarily removed the Drift app from its AppExchange marketplace. Subsequent analysis from Google revealed the breach’s scope was broader than initially believed, potentially compromising all authentication tokens connected to the Drift platform, not just those integrated with Salesforce.

Palo Alto Networks’ Unit 42 has urged all organizations using the Salesloft Drift integration to act with urgency. Recommendations include conducting a thorough review of Salesforce logs for suspicious activity, particularly for a user agent string associated with the attacker’s tools (Python/3.11 aiohttp/3.12.15), and immediately rotating any credentials or secrets that may have been stored in the compromised data.

The security team also warned affected organizations to be vigilant against follow-up social engineering attempts and to reinforce security with Zero Trust principles.

Salesloft Drift Supply Chain Attack

In August 2025, a widespread data theft campaign abused compromised OAuth tokens associated with Salesloft’s Drift application, a popular AI-powered chatbot and customer engagement tool. A threat actor, tracked by Google as UNC6395, leveraged these tokens to gain unauthorized access to the Salesforce environments of hundreds of organizations between August 8 and August 18.

The primary motive was credential harvesting. Attackers performed mass exfiltration of data from Salesforce objects—including customer accounts, contacts, and sales opportunities—and then scanned the stolen information for valuable secrets like AWS access keys, passwords, and Snowflake tokens to facilitate deeper network intrusions.

Confirmed victims of this supply chain attack include:

• Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
• Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
• Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.

In response, Salesloft and Salesforce collaborated to revoke all active Drift integration tokens and temporarily removed the app from the Salesforce AppExchange to contain the threat.

“ShinyHunters” Salesforce Social Engineering Campaign

Running parallel to the Salesloft incident is a broader, ongoing campaign attributed to a group known as “ShinyHunters” (or UNC6040). Since mid-2025, this group has successfully breached numerous major corporations by using sophisticated voice phishing, or “vishing,” tactics.

In these attacks, threat actors impersonate IT support staff in phone calls to trick employees into granting them access to the company’s Salesforce instance, often by having the employee authorize a malicious Salesforce “Connected App”.

This social engineering campaign has claimed a long list of victims, including :

• Google: In June 2025, the group accessed a Salesforce system containing prospective Google Ads customer information.
• Major Brands: Luxury and retail giants like LVMH (Louis Vuitton, Dior), Chanel, and Adidas were targeted.
• Financial and Insurance: Companies including Allianz Life, Farmers Insurance, and, most recently, TransUnion have reported breaches linked to this campaign, with the TransUnion incident affecting 4.4 million U.S. consumers

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.