In the wake of the Palo Alto Networks data breach, yet another ripple from the Salesloft Drift supply chain attack has emerged. Cybersecurity giant Palo Alto Networks has confirmed the incident, exposing customer information and support cases. The breach, part of a broader campaign impacting hundreds of companies, exploited stolen OAuth tokens to infiltrate Palo Alto’s Salesforce instance, highlighting the growing risks of third-party integrations. This incident underscores the urgent need for robust vendor security protocols.
The Palo Alto Networks Data Breach: What Happened?
Attackers leveraged compromised OAuth tokens from Salesloft’s Drift application, a marketing tool integrated with Salesforce, to access Palo Alto Networks’ customer relationship management (CRM) data between August 8 and August 18, 2025. This Palo Alto Networks data breach exposed business contact details, internal sales account information, and text comments from support cases. While Palo Alto assures that no technical support files or attachments were compromised, customers fear sensitive IT details and passwords shared in support tickets may have been exposed, potentially enabling further phishing or ransomware attacks.
The attack, tracked by Google’s Threat Intelligence team as UNC6395, used automated tools to mass-exfiltrate data from Salesforce objects like Accounts, Contacts, Cases, and Opportunities. To cover their tracks, the threat actors deleted logs and used Tor for anonymity, searching for valuable credentials like AWS keys, Snowflake tokens, and VPN/SSO login strings to fuel further attacks. Such tactics reflect a highly sophisticated and coordinated operation.
A Wider Net
Palo Alto Networks isn’t alone in facing this Palo Alto Networks data breach fallout. The same supply chain attack hit other major players like Google and Zscaler, with over 700 organizations potentially affected. The campaign, linked to the ShinyHunters group (UNC6040), has also targeted companies like Cisco, Adidas, and TransUnion, often using sophisticated voice phishing (vishing) tactics to steal credentials. This Palo Alto Networks data breach underscores the cascading risks of interconnected software ecosystems, where a single weak link can compromise vast networks in today’s digital landscape.
Palo Alto’s Response
Upon detecting the Palo Alto Networks data breach, Palo Alto Networks revoked the compromised tokens, rotated credentials, and launched an investigation led by its Unit 42 team. The company emphasizes that its core products, services, and systems—like firewalls and Cortex XDR—remained unaffected. Affected customers with potentially sensitive data are being notified, with recommendations to enforce multi-factor authentication (MFA), audit Salesforce permissions, and regularly review system logs for anomalies.
How to Stay Safe
This Palo Alto Networks data breach is a stark reminder to scrutinize third-party integrations. Here’s what you can do:
- Enable MFA: Add an extra layer of security to all Salesforce and related accounts to prevent unauthorized access.
- Audit Third-Party Apps: Review permissions and scopes for connected applications to limit exposure and ensure only essential data access.
- Monitor for Phishing: Be wary of emails or calls impersonating support staff, a tactic used by ShinyHunters to trick employees into revealing sensitive information.
- Check for Compromise: Use tools like Unit 42’s YARA rules to detect suspicious activity in Salesforce environments and update security protocols regularly.
The Bigger Picture
The Salesloft Drift breach is being called “this year’s Snowflake moment,” exposing the fragility of vendor ecosystems. As companies like Palo Alto Networks, a leader in cybersecurity, fall victim to the Palo Alto Networks data breach, it’s clear that no one is immune. Industry experts are calling for stricter vetting of supply chain partners, real-time monitoring of API activity, and investment in advanced threat detection systems to prevent future breaches.
Have you reviewed your organization’s third-party integrations lately? Now’s the time to double-check and lock down your defenses to ensure data security.
Click here to read more blog articles!