Palo Alto Networks confirmed that it was the victim of a major cyberattack targeting its supply chain. The attack used Salesloft's Drift application, an AI platform for chatbots and customer interactions.

The perpetrators, identified by Google Threat Intelligence as the UNC6395 group, exploited a vulnerability in OAuth authentication tokens. Using these tokens, they successfully infiltrated the company's Salesforce environment and stole highly sensitive business data.

This attack highlights the vulnerability of the digital supply chain. A single vulnerability in a third-party application can jeopardise the data security of large companies. Palo Alto Networks is currently working to mitigate the impact of this breach and strengthen its defences against similar attacks in the future.

The latest report from Palo Alto Networks' Unit 42 reveals a clever cyberattack method, in which sensitive business data was stolen from Salesforce through an integration vulnerability with the Salesloft Drift AI platform. This incident highlights the significant risks of the digital supply chain, where a single weak point can compromise many large companies.

• Chronology of the Attack

Between 8 and 18 August 2025, the attackers, identified as the UNC6395 group by Google Threat Analysis Group, gained access to the Salesforce environment in an unusual way. Instead of hacking the main security system, they exploited OAuth authentication tokens that had been stolen or compromised from the integration between Drift and Salesforce.

Using these tokens, they were able to bypass traditional security systems and directly extract data on a large scale. The data stolen included business contact information, internal sales account data, support case metadata, and even more sensitive customer records.

• Who Was Affected?

Palo Alto Networks confirmed that their security products were not breached. However, their CRM data remained exposed, which was highly valuable to attackers for conducting follow-up attacks such as spear-phishing or credential theft.

In addition to Palo Alto Networks, other large companies such as Zscaler and Google were also victims. This shows that the hackers did not target a single company, but rather conducted a massive campaign to collect data from various organisations using the Drift platform.

• How the Attackers Worked

The main method used by UNC6395 was to exploit OAuth tokens. These tokens are digital keys that grant delegated access, and in this case, they were misused to launch mass API queries to various data objects in Salesforce. With this technique, they were able to siphon off large volumes of structured operational and customer data in a short period of time.

This incident serves as an important reminder for companies to always review the security of all third-party integrations they use.

• Quick Action to Control Damage

Given the chained nature of this attack, the defence response was swift. Palo Alto Networks immediately severed all connections between Drift and their Salesforce environment, then launched an investigation led by the Unit 42 team. Meanwhile, Salesloft and Salesforce revoked all Drift integration tokens and removed the application from AppExchange. Google's analysis later revealed that the scope of the attack was much broader, with the possibility that all Drift tokens had been compromised, not just those related to Salesforce.

To mitigate the impact, Unit 42 and Salesforce urged affected organisations to immediately:

• Audit Salesforce logs for suspicious activity.
• Replace all potentially exposed cloud credentials.
• Adopt Zero Trust principles and limit reliance on third-party integrations without strict verification.

The Drift incident is not an isolated case. In parallel, a hacker group called ‘ShinyHunters’ (UNC6040) launched a different but equally dangerous social engineering attack. They used voice phishing (vishing) techniques, posing as IT staff to trick employees into approving malicious Salesforce applications. Once approved, the hackers gained access to highly sensitive CRM environments.

These attacks have claimed many victims, including Google Ads' CRM system, luxury retailers such as LVMH, Chanel, and Adidas, financial institutions such as Allianz Life, and TransUnion, where the data of 4.4 million US consumers was reportedly leaked.

Both attack campaigns highlight one important fact: CRM platforms such as Salesforce are highly valuable targets. The customer, financial, and operational data stored within them make them easy targets for credential theft, phishing, and follow-up attacks.

Some important lessons to be learned from this incident are:

• OAuth Abuse is a New Threat. Traditional login protections such as MFA are no longer sufficient if OAuth tokens are compromised. Companies must focus on token hygiene, revocation policies, and continuous behaviour monitoring.
• CRM Data is a Gold Mine of Credentials. Often, passwords and secret keys are inadvertently pasted by employees into CRM records. This creates an often-overlooked but highly exploitable vulnerability.
• Supply Chain Risks Now Extend to SaaS. These attacks prove that SaaS integration is a critical part of the supply chain. Evaluating, restricting, and monitoring third-party applications is now a core part of corporate security.
• Technical and Human Threats Go Hand in Hand. The UNC6395 automated attack and ShinyHunters vishing attack demonstrate a two-pronged threat model: one exploits machines, the other manipulates humans. Companies must be able to defend against both simultaneously.

About Palo Alto Networks

Palo Alto Networks is a cybersecurity company known for its advanced firewall solutions and cloud-based security services. With its AI-powered Strata Network Security platform and Zero Trust principles, it strives to protect digital infrastructure. The company serves more than 70,000 organisations worldwide and plays an important role in the global cybersecurity industry.

Source: Palo Alto Networks. “Threat Brief: Salesloft Drift Integration Used to Compromise Salesforce Instances.” Palo Alto Networks Blog, 2025.