Palo Alto Networks (PAN), the world’s largest cybersecurity company by market capitalization, has disclosed that it was among the many enterprises impacted by a sweeping Salesforce supply chain breach. The incident, tied to compromised access tokens from the SalesLoft Drift integration, exposed customer contact information and details from support cases.
How the Breach Reached Palo Alto Networks
The attack leveraged SalesLoft Drift, an AI-powered marketing platform integrated with Salesforce, to obtain compromised OAuth tokens. These tokens provided attackers with unauthorized access to Salesforce records across multiple organizations.
In a letter to customers, Palo Alto Networks confirmed that the data accessed included names, contact details, company attributes, and general support case information. The company clarified:
“It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration.”
The company stressed that its products, core systems, and services remained unaffected, adding that the incident was quickly contained once identified. Palo Alto Networks immediately disabled the Drift application within its environment and committed to notifying any affected customers directly.
Unit 42 Issues Advisory on Mass Exfiltration
On Tuesday, Palo Alto Networks’ threat intelligence division, Unit 42, issued an urgent advisory highlighting the scale of the Salesforce data exfiltration. According to the advisory, attackers accessed and mass-exfiltrated data from several Salesforce objects, including:
- Account records
- Contact records
- Case records
- Opportunity records
The advisory warned:
“Organizations that utilize the Salesloft Drift integration with Salesforce should treat this incident with immediate urgency.”
Unit 42 also provided technical recommendations, urging enterprises to examine their Salesforce environments and strengthen credential security.
Attackers Sought Credentials Beyond Salesforce
The broader investigation revealed that the campaign began on August 8th and extended until at least August 18th, 2025. During this time, attackers targeted organizations using Drift and Salesforce integrations, aggressively scanning environments for sensitive credentials.
The stolen information included:
- Google Cloud Platform service account keys
- Amazon Web Services (AWS) access keys
- Passwords
- Snowflake access tokens
- Other system credentials embedded within Salesforce records
Unit 42 advised enterprises to rotate exposed credentials without delay. The guidance specifically highlighted Salesforce API keys, connected app credentials, and any system credentials discovered in compromised data.
“Organizations should be wary of social engineering attempts resulting from this or any other data exfiltration event,” the advisory added.
ShinyHunters and Linked Groups Claim Responsibility
The breach is part of a larger coordinated campaign claimed by criminal groups including ShinyHunters, which described themselves as “invincible” in underground forums.
These attackers have also taken credit for breaches impacting major global enterprises such as Google, Victoria’s Secret, Zscaler, TransUnion, Farmers Insurance, Air France, KLM, and multiple telecommunications providers.
Security analysts warn that the alignment of groups such as ShinyHunters, Lapsus$, and Scattered Spider has amplified the reach and sophistication of this wave of supply chain cyberattacks.
Salesforce and Google Respond to the Incident
Salesforce confirmed that it has disabled all integrations between Salesforce and SalesLoft technologies, including the Drift app, until its investigation is complete. The company stated that this precaution is necessary to protect customer environments while a full review is underway.
Google also issued a warning to organizations using Drift with Salesforce, urging them to assume compromise and immediately review and rotate authentication tokens and stored credentials.
The warnings reinforce the widespread impact of the attack, which has now touched dozens of global enterprises across multiple sectors, making it one of the most significant supply chain breaches of 2025.
