Palo Alto Networks has confirmed it was among the hundreds of organizations impacted by a supply-chain cyberattack in August 2025 that exploited the Salesloft Drift integration with Salesforce, enabling threat actors to steal OAuth tokens and access sensitive CRM data—though no core systems or services were breached. This follows earlier reports that the attack stemmed from a breach at Salesloft and its AI-powered “SalesDrift” app, which siphoned credentials from Salesforce and a small number of Google Workspace instances. The actor, known as UNC6395, allegedly targeted credentials such as AWS keys, Snowflake tokens, and passwords before deleting logs to conceal activity. Both Palo Alto Networks and other victims like Zscaler and Cloudflare have since limited damage to CRM data, revoked access tokens, and urged vigilance amid broader supply-chain security concerns.
Sources: TechRadar, Cybersecurity Dive, BleepingComputer
Key Takeaways
– Supply-Chain Vulnerability Is Real – Third-party integrations, even those as commonplace as chat tools, can become entry points; organizations must assess and monitor such dependencies.
– Damage Contained—but Trust Eroded – Although core systems remained intact, exposure of CRM data and case notes may fuel phishing, social engineering, and reputational harm.
– Swift Response Is Essential – Token revocation, log monitoring, and direct customer notifications are critical—but businesses must also establish stronger proactive controls to reduce future risk.
In-Depth
In early September 2025, Palo Alto Networks reluctantly added its name to the growing roster of companies caught up in a hard-hit supply-chain cyberattack centered around the Salesloft Drift integration. Though not an internal system breach, the fallout was still significant: threat actors, leveraging compromised OAuth tokens, accessed the company’s Salesforce instance and pulled CRM records—business contact information and case data.
According to industry reports, this intrusion was part of a broader campaign targeting hundreds of organizations via Salesloft’s SalesDrift app, a conduit that links Drift’s AI chat capabilities with Salesforce. Google’s Threat Intelligence Group has tied the operation to a threat actor known as UNC6395, who demonstrated operational discipline by removing evidence of their activity and specifically hunting for sensitive credentials like AWS keys and Snowflake tokens.
While Palo Alto Networks took quick action—disabling the compromised app, revoking tokens, conducting internal investigations, and notifying customers—this episode sends a clear, cautionary message: never underestimate the risks inherent in third-party supply-chain integrations. Even tools meant to streamline customer engagement can become vulnerability channels if not properly gated and monitored.
Moreover, though this particular breach hasn’t impacted core systems, it has nonetheless exposed businesses to indirect threats: the CRM data exposed is prime fodder for phishing or impersonation campaigns. Lessons learned include the importance of maintaining tight control of authentication tokens, reinforcing zero-trust principles, narrowing integration privileges, and routinely auditing activity logs. In short, security is no longer merely about defending your own house—but vetting every door you let others install.