A recent Palo Alto Networks data breach has exposed customer records and support cases after attackers exploited compromised OAuth tokens from the Salesloft Drift supply chain attack.
How the Breach Happened
The attackers used stolen authentication tokens to access the company’s Salesforce CRM environment, exfiltrating data such as business contacts, account information, and case records. According to Palo Alto Networks, no products, systems, or core services were affected.
The breach is part of a wider campaign that impacted hundreds of organizations. Threat actors carried out mass data exfiltration from Salesforce objects, including Account, Contact, Case, and Opportunity records.
What Data Was Exposed
The compromised support case data primarily included contact information and text comments, not technical support files or attachments. However, investigators noted that attackers searched for sensitive information such as:
- AWS access keys (AKIA)
- Snowflake tokens
- VPN and SSO login strings
- Credentials containing terms like password, secret, or key
This suggests the attackers intended to leverage stolen secrets for follow-on attacks across other cloud services.
Techniques Used by the Attackers
The campaign relied on custom Python-based tools to automate exfiltration, while also employing anti-forensics techniques such as deleting queries and logs and routing activity through Tor for anonymity. Tools identified included:
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
- Salesforce-Multi-Org-Fetcher/1.0
- Salesforce-CLI/1.0
Recommended Mitigations
Organizations using Salesloft Drift should act with urgency following the Palo Alto Networks data breach. Immediate steps include tightening monitoring, disabling risky integrations, and securing exposed credentials. Salesloft Drift integrations have already been disabled by Salesforce, Palo Alto Networks, and Google while the investigation continues.
- Investigate Salesforce, identity provider, and network logs for suspicious activity
- Disable or remove any questionable Drift integrations
- Revoke and rotate authentication keys and credentials immediately
- Use automated tools such as Trufflehog or Gitleaks to identify exposed secrets in repositories
- Review any confirmed exfiltrated data for signs of credentials or sensitive information
Broader Supply Chain Risks
This incident underscores the growing risk of supply chain attacks targeting Salesforce environments. Similar breaches this year have affected organizations worldwide, with attackers exploiting OAuth integrations and conducting data theft for potential extortion.
The Palo Alto Networks data breach highlights how third-party integrations can quickly become a weak point, making proactive monitoring and key rotation essential for resilience.