Cybersecurity vendor Palo Alto Networks disclosed that its Salesforce environment was breached through a compromised Salesloft Drift integration, marking the latest in a series of supply chain attacks targeting customer relationship management platforms.
According to a statement from Palo Alto Networks, Salesloft’s Drift application—used by hundreds of organizations to streamline sales engagement—suffered an intrusion that affected its OAuth credentials between August 8 and 18, 2025.
Threat actors exploited these credentials to extract data from connected Salesforce instances, including that of Palo Alto Networks, before Salesloft revoked tokens and secured its systems.
“As soon as we learned of the event, we disconnected the vendor from our Salesforce environment and our Unit 42 security teams launched a comprehensive investigation,” the company said.
Investigators determined the compromise was isolated to the CRM platform; “no Palo Alto Networks products or services were impacted, and they remain secure and fully operational.”
The breached data primarily consisted of business contact information, internal sales account details, and basic case records.
Palo Alto Networks emphasized that only a limited number of customers may have had more sensitive data exposed, and those clients are being notified directly through official support channels.
“If you have concerns or need additional support, our teams are available via Palo Alto Networks customer support,” the company added.
Unit 42’s analysis linked the incident to a broader campaign leveraging the Salesloft Drift integration.
After exfiltrating records from Salesforce objects—such as Account, Contact, Case, and Opportunity—the threat actor conducted mass data harvesting and then scanned the stolen information for credentials. The attacker also deleted SOQL query logs to obscure their activities.
Salesloft confirmed that all impacted customers have been informed and that it proactively revoked all active access and refresh tokens for the Drift application, effectively forcing affected administrators to re-authenticate.
Palo Alto Networks urges other organizations using the Drift integration to maintain heightened vigilance, monitor for updates from both Salesloft and Salesforce, and implement a series of immediate response actions.
Key recommendations include:
- Comprehensive log review: Examine Salesforce login histories, audit trails, API access logs, and UniqueQuery events from August 8 to the present. Look for suspicious user-agent strings—specifically “Python/3.11 aiohttp/3.12.15”—and unusual IP addresses linked to known threat actors.
- Credential rotation: Use automated tools such as Trufflehog or GitLeaks to scan for exposed secrets, then promptly rotate any compromised credentials, including Salesforce API keys and connected-app tokens.
- Network and IdP monitoring: Analyze network flow and proxy logs for anomalous connections to Salesforce and review identity provider logs for unauthorized authentication attempts.
Organizations are also advised to adopt zero trust principles—enforcing least-privilege access and conditional policies—to mitigate lateral movement.
Palo Alto Networks recommends that teams remain skeptical of unsolicited communications and always verify requests for sensitive data through official channels.
Palo Alto Networks and Unit 42 will continue monitoring the situation and will update the threat brief should new developments arise. Salesforce is likewise providing ongoing guidance and resources to customers.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
