Pierluigi Paganini
September 02, 2025
Palo Alto Networks is another victim of the Salesloft Drift incident, which allowed attackers to access its Salesforce account, as per BleepingComputer.
The company discloses a breach after attackers used stolen OAuth tokens from Salesloft Drift, the exposed information includes customer data and support cases. The company is among hundreds hit in the supply-chain attack, with leaked info potentially including IT details and passwords from support tickets.
“Last week, Salesloft announced its Drift application was breached, which provided unauthorized access to its customer’s Salesforce data. This supply chain attack impacted hundreds of organizations, including Palo Alto Networks.” said Palo Alto Networks. “As soon as we learned of the event, we disconnected the vendor from our Salesforce environment and our Unit 42 security teams launched a comprehensive investigation. Our investigation confirms the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational. The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.”
Unit42 researchers who are investigating the supply chain attack, pointed out that threat actors mass-exfiltrated Salesforce data (accounts, contacts, cases, opportunities), scanned for credentials, and hid traces.
“Our observations indicate that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records. Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access. We have observed that the threat actor deleted queries to hide evidence of the jobs they run, likely as an anti-forensics technique.” reads the report published by Palo Alto Networks.
“Salesloft has confirmed that all impacted customers have been notified and took immediate action to secure its systems and contain and mitigate the incident, including proactively revoking all active access and refresh tokens for the Drift application, necessitating re-authentication for affected administrators.”
In response to the security incident, the company promptly rotated all credentials identified as exposed within the exfiltrated data. This covers Salesforce API keys, connected app credentials, and any other system credentials discovered in the compromised data.
Other prominent victims of this supply chain attack are Google and Zscaler.
This week, Zscaler disclosed a data breach that is linked to the recent Salesloft Drift attack. The cybersecurity vendor confirmed it was affected by a campaign targeting Salesloft Drift, a marketing SaaS integrated with Salesforce. Threat actors stole OAuth tokens from the company, the incident impacted multiple Salesforce customers, including Zscaler. Attackers gained unauthorized access to Drift credentials, allowing limited visibility into some of Zscaler’s Salesforce information. The company pointed out that its products, services, and core infrastructure were not compromised.
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.” reads the advisory published by Zscaler. “After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information.”
The information exposed in the incident are the commonly available business contact details for points of contact and specific Salesforce related content, including: Names, Business email addresses, Job titles, Phone numbers, Regional/location details, Zscaler product licensing and commercial information, Content from certain support cases.
Zscaler confirmed it has revoked Drift’s Salesforce access, rotated API tokens, launched a joint investigation with Salesforce, added safeguards, reviewed third-party vendors, and reinforced customer support authentication to reduce phishing risks.
The company urges customers to remain vigilant against phishing attempts and social engineering attacks, despite limited impact and no misuse evidence.
Last week, Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some Google Workspace emails on August 9, 2025, via the Drift Email integration. Google stressed this was not a compromise of Workspace itself, and only accounts integrated with Salesloft were at risk, with no access to other customer accounts.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” reads the update published by Google Threat Intelligence Group (GTIG).
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts. The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”
Google already notified impacted users and revoked Drift Email OAuth tokens, disabled its Workspace integration, and urged Salesloft Drift users to review integrations, rotate credentials, and check for breaches.
Last week, Google Threat Intelligence Group and Mandiant researchers announced that they investigated a large-scale data theft campaign aimed at hacking the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The experts discovered that the threat actor UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between Aug 8 and 18, 2025, to harvest credentials like AWS access keys (AKIA) and Snowflake tokens.
“Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.” reads the report published by the Google TIG group. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances.”
UNC6395 stole Salesforce data, prompting GTIG to advise treating it as compromised and rotating credentials. The threat actor deleted query jobs to evade detection. Google urges log reviews, key revocation, and credential rotation to assess compromise.
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift–Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified, though the full scale remains unclear.
“From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.” reads the Drift/Salesforce Security Update published by Salesloft. “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”
Salesforce said only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Salesloft)
Data Breach / September 02, 2025
Data Breach / September 01, 2025
Malware / September 01, 2025
