Palo Alto Networks fell victim to a sophisticated **supply chain cyberattack** after threat actors (UNC6395) exploited a **vulnerability in Salesloft Drift**, a third-party sales/marketing SaaS tool integrated with Salesforce. The attackers stole **OAuth tokens**, granting unauthorized access to Palo Alto’s **Salesforce instance**. While the breach was confined to **business contact details** (names, emails, job titles, phone numbers), **sales account records**, and **case metadata**, it exposed sensitive customer data tied to major tech firms. The company **disabled the compromised integration**, revoked affected tokens, and collaborated with Salesforce/Salesloft for forensic analysis. No evidence suggested misuse of the exposed data, but the incident underscored risks in **third-party dependencies**. Customers were notified, and internal safeguards were reviewed to mitigate future threats. The attack aligns with a broader trend targeting **Salesforce ecosystems**, including TransUnion’s recent breach affecting 4.4M US consumers.
Source: https://hackread.com/palo-alto-networks-zscaler-pagerduty-salesforce-data-breach/
TPRM report: https://www.rankiteo.com/company/palo-alto-networks
"id": "pal505090325",
"linkid": "palo-alto-networks",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Not specified (business contact '
'details exposed)',
'industry': 'Cybersecurity',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'size': 'Large Enterprise',
'type': 'Public Company'},
{'customers_affected': 'Not specified (business contact '
'details exposed)',
'industry': 'Cybersecurity',
'location': 'San Jose, California, USA',
'name': 'Zscaler',
'size': 'Large Enterprise',
'type': 'Public Company'},
{'customers_affected': 'Not specified (business contact '
'details exposed)',
'industry': 'IT Operations/Incident Response',
'location': 'San Francisco, California, USA',
'name': 'PagerDuty',
'size': 'Mid-to-Large Enterprise',
'type': 'Public Company'},
{'customers_affected': '4.4 million US consumers '
'(including Social Security '
'numbers)',
'industry': 'Credit Reporting',
'location': 'Chicago, Illinois, USA',
'name': 'TransUnion',
'size': 'Large Enterprise',
'type': 'Public Company'},
{'customers_affected': 'Hundreds of companies (via '
'OAuth token theft)',
'industry': 'Sales Engagement Platform',
'location': 'Atlanta, Georgia, USA',
'name': 'Salesloft (Drift integration)',
'size': 'Mid-to-Large Enterprise',
'type': 'Private Company (SaaS)'}],
'attack_vector': ['Third-Party Vulnerability Exploitation',
'OAuth Token Theft',
'Salesforce Integration Abuse'],
'customer_advisories': ["PagerDuty: 'We will never contact anyone by phone to "
"request a password or any other secure details.'",
"Zscaler: 'No evidence of misuse found, but customers "
"should maintain heightened vigilance for phishing.'",
'Palo Alto Networks: Reviewing internal safeguards to '
'prevent future incidents.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['Undisclosed (Palo Alto '
'Networks, Zscaler, PagerDuty)',
'4.4 million (TransUnion)'],
'personally_identifiable_information': ['Names',
'Email addresses',
'Job titles',
'Phone numbers',
'Social Security '
'numbers (TransUnion '
'only)'],
'sensitivity_of_data': ['Moderate (business contacts)',
'High (SSNs for TransUnion)'],
'type_of_data_compromised': ['Business contact details',
'Sales account records',
'Case metadata',
'Social Security numbers '
'(TransUnion only)']},
'date_detected': '2025-08-20',
'date_publicly_disclosed': '2025-08-23',
'description': 'Hackers exploited the Salesloft Drift app to steal OAuth '
'tokens and access Salesforce data, exposing customer details '
'at major tech firms including Palo Alto Networks, Zscaler, '
'and PagerDuty. The attack was a supply chain breach targeting '
'a third-party sales/marketing SaaS application, leading to '
'unauthorized access to Salesforce accounts of hundreds of '
'companies. Exposed data included business contact details '
'(names, emails, job titles, phone numbers) but no core '
'products or infrastructure were compromised.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'third-party integrations',
'Reputational risk for affected firms '
'(Palo Alto Networks, Zscaler, '
'PagerDuty)'],
'data_compromised': ['Business contact details (names, email '
'addresses, job titles, phone numbers)',
'Sales account records',
'Case metadata'],
'identity_theft_risk': ['Low (business contact details only)',
'Phishing risk elevated'],
'operational_impact': ['Heightened vigilance required for phishing',
'Third-party risk investigations',
'Customer notifications',
'Authentication protocol reviews'],
'systems_affected': ['Salesforce instances (via third-party '
'integration)',
'Salesloft Drift app']},
'initial_access_broker': {'entry_point': 'Salesloft Drift (third-party SaaS '
'application)',
'high_value_targets': ['Salesforce instances of '
'cybersecurity/tech firms']},
'investigation_status': 'Ongoing (Google’s Threat Intelligence Group and '
'affected companies)',
'lessons_learned': ['Third-party SaaS integrations introduce significant '
'supply chain risk, even for cybersecurity firms.',
'OAuth token management requires stricter oversight and '
'monitoring.',
'Rapid revocation of compromised tokens is critical to '
'limiting exposure.',
'Customer communication and transparency are essential to '
'maintaining trust post-breach.'],
'motivation': ['Data Theft',
'Potential Phishing/Follow-on Attacks',
'Financial Gain (likely)'],
'post_incident_analysis': {'corrective_actions': ['Disabled vulnerable '
'integrations (Palo Alto '
'Networks).',
'Revoked compromised OAuth '
'tokens.',
'Enhanced authentication '
'protocols (Zscaler).',
'Third-party risk '
'management investigations '
'launched.'],
'root_causes': ['Inadequate security controls for '
'OAuth tokens in Salesloft Drift.',
'Over-permissive third-party app '
'integrations with Salesforce.',
'Lack of real-time monitoring for '
'anomalous token usage.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Conduct third-party risk assessments for all SaaS '
'integrations, especially those with OAuth access.',
'Implement least-privilege access controls for '
'third-party apps connected to CRM systems like '
'Salesforce.',
'Monitor for anomalous OAuth token usage or unexpected '
'API calls from integrated apps.',
'Enhance authentication protocols for customer support '
'interactions to prevent social engineering.',
'Educate employees and customers on phishing risks '
'following data breaches involving contact details.'],
'references': [{'date_accessed': '2025-08-23',
'source': 'PagerDuty Public Report'},
{'date_accessed': '2025-08-23',
'source': 'Zscaler Official Blog'},
{'date_accessed': '2025-08-23',
'source': 'Palo Alto Networks Customer Notification (via '
'LinkedIn)'},
{'source': 'Google’s Threat Intelligence Group Investigation'}],
'response': {'communication_strategy': ['Public disclosures (PagerDuty, '
'Zscaler, Palo Alto Networks)',
'Customer advisories (e.g., Palo Alto '
'Networks via LinkedIn)',
'Recommendations for heightened '
'phishing vigilance'],
'containment_measures': ['Disabled vulnerable Salesloft-Drift '
'integration (Palo Alto Networks)',
'Revoked affected OAuth tokens',
'Launched third-party risk management '
'investigation (Zscaler)'],
'enhanced_monitoring': ['Heightened vigilance for phishing '
'(recommended to customers)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Strengthened customer authentication '
'protocols (Zscaler)',
'Reviewing internal safeguards (Palo '
'Alto Networks)',
'Customer notifications'],
'third_party_assistance': ['Salesforce',
'Salesloft',
'Google’s Threat Intelligence Group']},
'stakeholder_advisories': ['Customers advised to monitor for phishing '
'attempts (Zscaler, PagerDuty).',
'Palo Alto Networks notified impacted customers '
'directly.',
'TransUnion disclosed breach to affected 4.4 '
'million US consumers.'],
'threat_actor': 'UNC6395',
'title': 'Supply Chain Breach via Salesloft Drift Exploit Targeting '
'Salesforce Data',
'type': ['Supply Chain Attack', 'Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': "Unspecified vulnerability in Salesloft Drift's "
'OAuth token management'}