Palo Alto Networks said a data breach exposed customer information and support-case data after attackers abused compromised OAuth tokens tied to the Salesloft Drift supply-chain breach to access its Salesforce CRM. The company described the incident as part of a broader attack that affected hundreds of organizations, but stressed that none of its products, systems or services were compromised.
In a statement to customers, Palo Alto Networks said the attacker exfiltrated primarily business contact and related account information, along with internal sales records and basic case data. The firm said investigators observed mass exfiltration from Salesforce objects including Account, Contact, Case and Opportunity, followed by attempts to search the stolen data for credentials such as AWS access keys, Snowflake tokens, VPN and SSO strings, and common keywords like “password” or “secret”. The attackers reportedly used automated tools and removed logs to conceal their activity, including employing Tor to obfuscate origin.
Palo Alto Networks reported that it revoked the associated tokens and rotated credentials in the wake of the incident and disabled the Drift integration within its Salesforce environment. The company said its Unit 42 team is conducting an investigation and that the breach did not affect Palo Alto Networks’ products, systems or services. The advisory from Unit 42 related to the incident can be read here.
The firm recommended that customers treat the situation with “immediate urgency” and take steps such as reviewing Salesforce, identity-provider and network logs for signs of compromise; auditing all Drift integrations for suspicious connections; revoking and rotating authentication keys, credentials and secrets; and using automated tools to scan repositories for embedded keys or tokens. If any data was confirmed exfiltrated, Palo Alto urged customers to inspect the records for credentials to prevent further access.
Officials stressed that the supply-chain attack behind the incident has affected other organizations, including Zscaler and Google, though Google has cautioned that there is no conclusive evidence linking the incidents at this time.
As part of the ongoing investigation, Palo Alto Networks, Salesforce and Google have disabled Drift integrations while they determine how the OAuth tokens were stolen. The breach underscores the risk of credential theft via trusted third-party applications and the importance for customers to continuously monitor cloud service connections and credentials. For context on Google’s discussion of related incidents, see this external report here.