Palo Alto Networks has confirmed it was affected by a supply-chain attack linked to the Salesloft Drift application. Attackers used stolen OAuth tokens to access its Salesforce account, exposing customer contact details and support case data. The breach was limited to its CRM system, and no core products or services were compromised.
Unit 42 researchers found that threat actors exfiltrated large volumes of Salesforce data, scanned for credentials, and deleted traces to avoid detection. Palo Alto responded by disconnecting Drift, rotating credentials, and launching an internal investigation.
Zscaler also disclosed a related breach, confirming limited access to its Salesforce data through compromised Drift credentials. No misuse has been detected, but the company revoked access, rotated tokens, and reinforced security measures.
Google revealed the attack extended beyond Salesforce, affecting other integrations. On August 9, attackers accessed a small number of Google Workspace emails via Drift Email. Google disabled the integration, notified users, and urged all Drift customers to treat connected tokens as compromised.
Security researchers identified the threat actor as UNC6395, who targeted Salesforce instances between August 8 and 18 to steal credentials including AWS keys and Snowflake tokens. Salesloft revoked all Drift-Salesforce connections and notified affected customers.
Salesforce confirmed only a small number of users were impacted and has removed Drift from its AppExchange.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
