Palo Alto Networks, Zscaler, and Cloudflare Hit by Third-Party Salesforce Breach
A recent supply chain attack targeting Salesloft Drift, a third-party Salesforce integration, has compromised sensitive data from Palo Alto Networks, Zscaler, and Cloudflare, among hundreds of other organizations. The breach, disclosed on Tuesday, stemmed from stolen OAuth tokens used to access Salesforce environments via the Drift Connected App, enabling threat actors to exfiltrate business contact information, support case details, and, in some cases, credentials.
Key Details of the Attack
- Timeline: The malicious activity occurred from August 8 onward, with attackers leveraging Python/3.11 aiohttp/3.12.15 user agent strings and known threat actor IPs to execute Salesforce Object Query Language (SOQL) queries on objects like Account, Contact, Case, and Opportunity records.
- Data Exposed: Primarily business contact information (names, emails, phone numbers, job titles), but also support case contents, including logs, tokens, and passwords shared with vendors. Some customers stored sensitive data in insecure notes fields, increasing exposure.
- Attack Method: The threat actor mass-exfiltrated data, scanned for credentials, and deleted queries to obscure forensic traces an anti-forensics tactic.
- Impact on Vendors:
- Palo Alto Networks confirmed the breach was isolated to its CRM platform, with no impact on its products or services. Exposed data included customer contact and sales account details.
- Zscaler reported similar exposure, noting that product licensing and commercial information may have been compromised.
- Cloudflare took responsibility for enabling the third-party integration, acknowledging that support case data including customer-shared credentials was accessed. The company urged affected users to rotate compromised credentials.
Industry Reactions and Lessons
- Transparency & Accountability: Cloudflare’s disclosure was praised for its technical detail and ownership of the incident, setting a benchmark for incident response. Analysts highlighted the need for stronger SaaS security and third-party risk management.
- SaaS Supply Chain Risks: The attack underscores vulnerabilities in OAuth token security and the challenges of monitoring API-level integrations, particularly as agentic AI frameworks expand. Experts warned that misconfigurations and stolen tokens remain a persistent threat.
- Zero Trust & Contractual Safeguards: Recommendations included revoking unused OAuth tokens, enforcing token expiration, and auditing third-party contracts for breach notification, data handling, and sub-processor transparency.
- Phishing Risks: The breach’s targeted nature leveraging real business data could fuel highly convincing phishing, smishing, and vishing campaigns, making detection harder for victims.
Broader Implications
The incident reflects the growing threat of SaaS supply chain attacks, where a single compromised vendor can expose hundreds of downstream organizations. As enterprises increasingly rely on interconnected third-party apps, securing API access, identity management, and token hygiene becomes critical to mitigating future risks.
Salesloft cybersecurity rating report: https://www.rankiteo.com/company/salesloft
Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare
"id": "SALCLO1768392789",
"linkid": "salesloft, cloudflare",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Business contact information, '
'internal sales account and case '
'data',
'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Enterprise'},
{'customers_affected': 'Business contact information, '
'product licensing and '
'commercial information, support '
'case data',
'industry': 'Cybersecurity',
'name': 'Zscaler',
'type': 'Enterprise'},
{'customers_affected': 'Business contact information, '
'support case data (including '
'logs, tokens, passwords)',
'industry': 'Cybersecurity/Network Services',
'name': 'Cloudflare',
'type': 'Enterprise'}],
'attack_vector': 'Compromised OAuth tokens via third-party integration '
'(Salesloft Drift)',
'customer_advisories': 'Rotate credentials, monitor for '
'phishing/smishing/vishing attacks using exfiltrated '
'data, review Salesforce audit logs for unusual '
'activity.',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Plain text',
'Attachments',
'Images',
'Logs'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (credentials, PII, internal '
'business data)',
'type_of_data_compromised': ['Business contact information',
'Support case data (logs, '
'tokens, passwords)',
'Product licensing and '
'commercial information',
'SOQL queries',
'Attachments/files/images']},
'description': 'A supply chain attack involving the compromise of OAuth '
'tokens from the Salesloft Drift third-party application, '
'leading to mass exfiltration of sensitive data from '
'Salesforce objects such as Account, Contact, Case, and '
'Opportunity records. The attack impacted hundreds of '
'organizations, including Palo Alto Networks, Zscaler, and '
'Cloudflare.',
'impact': {'brand_reputation_impact': 'Erosion of trust due to third-party '
'integration failure, particularly for '
'vendors in the SASE space',
'data_compromised': 'Business contact information (names, email '
'addresses, job titles, phone numbers, '
'regional/location details), product licensing '
'and commercial information, plain text '
'content from support cases (including logs, '
'tokens, passwords), Salesforce Object Query '
'Language (SOQL) queries, '
'attachments/files/images in some cases',
'identity_theft_risk': 'High (exfiltrated PII and credentials)',
'operational_impact': 'Potential phishing/smishing/vishing '
'campaigns using exfiltrated data, '
'credential rotation requirements, audit and '
'remediation efforts',
'systems_affected': 'Salesforce CRM platform (Account, Contact, '
'Case, Opportunity objects)'},
'initial_access_broker': {'entry_point': 'Compromised OAuth tokens via '
'Salesloft Drift integration',
'high_value_targets': ['Account',
'Contact',
'Case',
'Opportunity records']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Third-party integrations pose significant supply chain '
'risks, OAuth tokens must be treated with the same '
'security as passwords, zero trust principles (e.g., token '
'expiration, periodic revocation) are critical, API '
'security and monitoring must be prioritized, transparency '
'and accountability in incident response build trust.',
'motivation': 'Data exfiltration for credential harvesting, potential further '
'attacks or dark web sales',
'post_incident_analysis': {'corrective_actions': 'Strengthen SaaS security, '
'enforce zero trust for '
'third-party apps, enhance '
'API monitoring, rotate '
'credentials, revoke unused '
'tokens, improve third-party '
'contract security language',
'root_causes': 'Stolen or misconfigured OAuth '
'tokens, insufficient monitoring of '
'API access, lack of zero trust '
'principles (e.g., token '
'expiration), third-party '
'integration risks'},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Conduct thorough reviews of Salesforce login history, '
'audit trails, and API access logs for unusual activity.',
'Rotate credentials and revoke unused OAuth tokens.',
'Enforce token expiration and periodic token refreshes.',
'Strengthen SaaS environments and toolchain security.',
'Periodically revisit third-party contracts to include '
'security language (breach notification, right to audit, '
'data handling, sub-processor transparency).',
'Enhance monitoring of API calls and SOQL queries for '
'suspicious patterns.',
'Adopt a zero trust mindset for third-party applications '
'and SaaS.',
'Educate employees on the risks of storing sensitive data '
'in insecure fields (e.g., support case notes).'],
'references': [{'source': 'Cloudflare Blog'},
{'source': 'Palo Alto Networks Unit 42 Threat Brief'},
{'source': 'Zscaler Statement'},
{'source': 'Evan Schuman (CSO Online)'}],
'response': {'communication_strategy': 'Public disclosures via blogs and '
'statements, customer advisories to '
'rotate credentials, transparency '
'about incident details and '
'responsibility',
'containment_measures': 'Rotation of credentials, review of '
'Salesforce login history and audit '
'trails, revocation of unused OAuth '
'tokens, enforcement of token expiration',
'enhanced_monitoring': 'Review of Salesforce Event Monitoring '
'logs, hunting for suspicious login '
'attempts and unusual data access '
'patterns, monitoring for Python/3.11 '
'aiohttp/3.12.15 user agent string and '
'known threat actor IP addresses',
'remediation_measures': 'Strengthening SaaS environments and '
'toolchain security, periodic review of '
'third-party contracts for security '
'language, enhanced monitoring of API '
'access logs'},
'stakeholder_advisories': 'Customers urged to rotate credentials, review '
'Salesforce logs for suspicious activity, and treat '
'any shared support case data as compromised.',
'title': 'Salesforce Data Breach via Salesloft Drift Third-Party Integration',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Misconfigured or stolen OAuth tokens, '
'insufficient monitoring of API access logs'}