Palo Alto Networks data breach exposes buyer data, help circumstances

Palo Alto Networks suffered a data breach that uncovered buyer knowledge and help circumstances after attackers abused compromised OAuth tokens from the Salesloft Drift breach to entry its Salesforce occasion.

The corporate states that it was considered one of tons of of corporations affected by a supply-chain assault disclosed final week, by which risk actors abused the stolen authentication tokens to exfiltrate knowledge.

BleepingComputer discovered of the breach this weekend from Palo Alto Networks’ prospects, who expressed concern that the breach uncovered delicate info, similar to IT info and passwords, shared in help circumstances.

Palo Alto Networks later confirmed to BleepingComputer that the incident was restricted to its Salesforce CRM and didn’t have an effect on any merchandise, programs, or companies.

“Palo Alto Networks confirms that it was considered one of tons of of shoppers impacted by the widespread provide chain assault concentrating on the Salesloft Drift software that uncovered Salesforce knowledge,” Palo Alto Networks advised BleepingComputer.

“We shortly contained the incident and disabled the applying from our Salesforce setting. Our Unit 42 investigation confirms that this example didn’t have an effect on any Palo Alto Networks merchandise, programs, or companies.”

“The attacker extracted primarily enterprise contact and associated account info, together with inner gross sales account data and primary case knowledge. We’re within the means of instantly notifying any impacted prospects.”

Palo Alto Networks advised BleepingComputer that the exfiltrated help case knowledge solely contained contact data and textual content feedback, and never technical help information or attachments.

The marketing campaign, first tracked by Google’s Risk Intelligence staff as UNC6395, particularly focused help circumstances to establish delicate knowledge, similar to authentication tokens, passwords, and cloud secrets and techniques, that may very well be used to pivot into different cloud companies and steal knowledge.

“Our observations point out that the risk actor carried out mass exfiltration of delicate knowledge from numerous Salesforce objects, together with Account, Contact, Case and Alternative data,” Palo Alto Networks warned in a risk temporary shared with BleepingComputer.

“Following exfiltration, the actor seemed to be actively scanning the acquired knowledge for credentials, doubtless with the intent to facilitate additional assaults or broaden their entry. We now have noticed that the risk actor deleted queries to cover proof of the roles they run, doubtless as an anti-forensics approach.

Palo Alto Networks experiences that the attackers had been looking for secrets and techniques, together with AWS entry keys (AKIA), Snowflake tokens, VPN and SSO login strings, and generic key phrases similar to “password,” “secret,” or “key.”

These credentials might then be used to breach further cloud platforms to steal knowledge for extortion assaults.

Google and Palo Alto Networks say that the risk actors used automated instruments to steal knowledge, with user-agent strings indicating that customized Python instruments had been used:

python-requests/2.32.4

Python/3.11 aiohttp/3.12.15

Salesforce-Multi-Org-Fetcher/1.0

Salesforce-CLI/1.0

As a part of these assaults, the risk actors mass-exfiltrated knowledge from the Account, Contact, Case and Alternative Salesforce objects.

To evade detection, the risk actors deleted logs and used Tor to obfuscate their origin.

Palo Alto Networks states that it has revoked the related tokens, and rotated the credentials following the incident.

The corporate recommends Salesloft Drift prospects deal with the incident with “instant urgency” and carry out the next actions:

• Examine Salesforce, id supplier, and community logs for potential compromise.
• Overview all Drift integrations for suspicious connections.
• Revoke and rotate authentication keys, credentials, and secrets and techniques.
• Use automated instruments, like Trufflehog and Gitleaks, to scan code repositories for embedded authentication keys or tokens.
• If knowledge was confirmed to be exfiltrated, it needs to be reviewed for the presence of credentials.

Palto Alto Networks, Salesforce, and Google have now disabled Drift integrations whereas the investigation into how the OAuth tokens had been stolen continues.

The availability chain assault has impacted different corporations, together with Zscaler and Google.

Salesforce knowledge theft assaults

For the reason that starting of the 12 months, Salesforce has been the goal of information theft assaults performed by members related to the ShinyHunters extortion group.

In previous assaults, the risk actors performed voice phishing (vishing) to trick workers into linking a malicious OAuth app with their firm’s Salesforce situations.

As soon as linked, the risk actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by way of e-mail.

Nonetheless, with the Salesloft breach, the risk actors had been in a position to steal knowledge utilizing the stolen OAuth tokens.

Since Google first reported the assaults in June, quite a few data breaches have been tied to the social engineering assaults, together with Google itself, Cisco, Farmers Insurance coverage, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

Whereas some researchers have advised BleepingComputer that they consider the Salesloft provide chain assaults contain the identical risk actors, Google says there is no such thing as a conclusive proof that they’re linked.

“We have not seen any compelling proof connecting them presently,” Austin Larsen, Principal Risk Analyst. Google Risk Intelligence Group, advised BleepingComputer.

Replace 9/2/25: Article title up to date to replicate that the breach didn’t comprise full help tickets.