In a troubling new twist in the world of supply chain cyberattacks, cybersecurity giant Palo Alto Networks has confirmed that attackers breached its internal Salesforce environment by exploiting a third-party integration — specifically, a compromised link between Salesloft and its Drift application.
The breach, which took place earlier in August, allowed threat actors to siphon off business contact details, sales account data, and internal case records. While the company insists that no core products or services were affected, the incident has raised fresh concerns over the security of interconnected SaaS platforms.
“We immediately disconnected the vendor and launched a full investigation,” Palo Alto Networks said in a statement. “Our products remain secure and fully operational.”
What We Know So Far
Between August 8 and August 18, attackers were able to compromise OAuth credentials linked to the Drift application — a tool often used to help sales teams manage communications.
With those tokens in hand, the attackers gained access to several Salesforce environments, including Palo Alto’s. From there, they pulled data from commonly used Salesforce objects like Accounts, Contacts, Cases, and Opportunities.
To cover their tracks, the intruders reportedly deleted query logs that could have revealed what they accessed and when — a clear sign that this wasn’t a simple smash-and-grab operation, but a calculated move in a larger campaign.
Not Just Palo Alto
This attack doesn’t appear to be isolated. According to Palo Alto’s Unit 42 threat intelligence team, this is part of a broader pattern targeting Salesforce users through third-party tools like Drift.
Salesloft, the company behind Drift, has since confirmed the issue and revoked all related access tokens — essentially forcing a logout for affected users. It also says all impacted customers have been notified.
Sound Familiar?
Unfortunately, this isn’t the first time OAuth token abuse has played a central role in a high-profile breach.
- HubSpot (2022): Attackers exploited employee credentials to steal data from crypto firms.
- Mailchimp (2023): Compromised access was used for targeted phishing attacks.
- Snowflake-related breaches (2025): OAuth abuse became a key technique for moving laterally across cloud systems.
These cases all highlight the same problem: the more we connect our systems, the more doors we leave open — and sometimes, it only takes one unlocked window.
What Should You Do?
If your organization uses Salesforce, Salesloft, or the Drift app, now’s the time to take a closer look under the hood. Palo Alto Networks and other experts are urging companies to act quickly and review their logs and credentials.
Here’s what security teams should focus on:
- Audit Logs Thoroughly: Review Salesforce login histories, API logs, and query records going back to early August. Look for unusual IP addresses or strange user agents like:
Python/3.11 aiohttp/3.12.15 - Change Credentials Immediately: Rotate all Salesforce API keys, OAuth tokens, and app secrets. Use tools like TruffleHog or GitLeaks to identify exposed secrets.
- Monitor Identity & Network Traffic: Watch for suspicious login attempts or abnormal network patterns in your proxy or IdP logs.
- Harden Permissions: Apply least-privilege access, enforce MFA, and implement Zero Trust policies across all integrations.
“Just because it’s a trusted app doesn’t mean it’s safe forever,” said Shira Cohen, a cybersecurity advisor with two decades of experience. “You need to treat integrations like they’re external — because, in effect, they are.”
Still More Questions Than Answers
While Palo Alto is actively investigating and working with Salesforce and Salesloft to assess the full scope, several key questions remain:
- Who’s behind the breach? No group has been publicly identified.
- Could other companies using Drift also be affected?
- Were attackers specifically targeting Palo Alto — or casting a wider net?
Palo Alto says its Unit 42 team is continuing to monitor the threat and will release more information as it becomes available. Salesforce is also supporting affected clients and providing security guidance.
Final Thoughts
The breach is a reminder that even the most security-conscious organizations can fall victim — not because of a failed firewall, but because of a weak link in the third-party chain.
If you’re using SaaS tools and haven’t recently reviewed your integrations, now is the time. As your systems become more connected, your attack surface grows — and attackers know it.
“Don’t wait for an incident to start doing the basics,” Cohen warned. “Once someone’s in, it’s too late to wish you’d enabled logging or rotated that token last month.”
Stay tuned for updates — and if you’re a customer of any of the affected platforms, check your support portals for official communication.
