Palo Alto Networks Breach Exposes Customer Data in Salesloft Supply-Chain Attack

Palo Alto Networks has confirmed a significant data breach stemming from compromised OAuth tokens stolen during the recent Salesloft Drift supply-chain attack. Threat actors leveraged these tokens to infiltrate the cybersecurity giant's Salesforce Customer Relationship Management (CRM) system, exposing business contact information, internal sales records, and support case data.

According to Palo Alto's Unit 42 threat intelligence team, attackers specifically targeted Salesforce objects including Account, Contact, Case, and Opportunity records. "The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data," the company stated in communications with BleepingComputer. Crucially, technical support files and attachments weren't accessed.

Attack Methodology and Credential Hunting

The threat actors—tracked by Google as UNC6395—employed custom Python tools for automated data exfiltration, evidenced by user-agent strings like Salesforce-Multi-Org-Fetcher/1.0 and Python/3.11 aiohttp/3.12.15. Post-theft, they systematically scanned stolen data for sensitive credentials using search terms including:

AWS access keys (AKIA)
Snowflake tokens
VPN and SSO login strings
Generic keywords like "password," "secret," or "key"

"Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access," Palo Alto warned. The attackers also deployed anti-forensic techniques—deleting query logs and routing traffic through Tor to obscure their infrastructure.

Supply-Chain Fallout and Industry Impact

This breach is part of a broader campaign affecting hundreds of Salesloft Drift customers, including Zscaler and Google. Attackers initially compromised OAuth tokens through Salesloft's platform, enabling unauthorized access to connected Salesforce instances across multiple organizations. Palo Alto emphasized that no products, systems, or services were compromised, but the incident underscores critical vulnerabilities in third-party integrations.

Mitigation and Critical Recommendations

Palo Alto has revoked compromised tokens and rotated credentials, urging all Salesloft Drift customers to:

Investigate Salesforce, identity provider, and network logs for anomalies
Review all Drift integrations for suspicious connections
Immediately revoke and rotate authentication keys, credentials, and secrets
Scan code repositories with tools like Trufflehog and Gitleaks for embedded secrets

Broader Threat Landscape

This incident follows a pattern of Salesforce-targeted attacks throughout 2025, including social engineering campaigns by groups like ShinyHunters. While Google's Threat Intelligence Group found no conclusive evidence linking UNC6395 to earlier attacks, the parallel objectives—credential harvesting for cloud environment pivots and extortion—highlight evolving risks in SaaS ecosystems.

Source: BleepingComputer

#OAuthSecurity #SupplyChainAttack #CloudCredentials