Full Report
Palo Alto Networks suffered a data breach that exposed customer data and support cases after attackers abused compromised OAuth tokens from the Salesloft Drift breach to access its Salesforce instance. [...]
Analysis Summary
# Incident Report: Palo Alto Networks Salesforce Data Breach via Supply Chain Compromise
## Executive Summary
Palo Alto Networks suffered a data breach impacting its Salesforce CRM after threat actors exploited compromised OAuth tokens allegedly sourced from the Salesloft breach. The incident exposed customer business contact details, internal sales account information, and sensitive contents of customer support tickets, including potential credentials. The company contained the incident by revoking tokens and rotating credentials, limiting the impact solely to the Salesforce instance.
## Incident Details
- Discovery Date: Weekend preceding September 2, 2025 (Customers expressed concern)
- Incident Date: Prior to September 2, 2025 (Part of an ongoing supply-chain campaign)
- Affected Organization: Palo Alto Networks
- Sector: Cybersecurity Technology
- Geography: Not explicitly disclosed (Implied global reach via Salesforce customer base)
## Timeline of Events
### Initial Access
- Date/Time: Unknown, linked to the supply-chain attack affecting Salesloft.
- Vector: Exploitation of compromised OAuth tokens originating from the Salesloft breach.
- Details: The compromised tokens provided unauthorized access to Palo Alto Networks' Salesforce instance.
### Lateral Movement
- Details: Attackers performed mass exfiltration across various Salesforce objects (Account, Contact, Case, Opportunity). They actively scanned the acquired data for secrets, access keys (AWS AKIA), Snowflake tokens, VPN/SSO strings, and generic keywords like "password" or "secret," likely to facilitate pivoting outside of Salesforce.
### Data Exfiltration/Impact
- Details: Stolen data included business contact details, internal sales account information, and "basic case data" from customer support cases. This data contained exposed IT information, passwords, and authentication tokens intended for use in further attacks.
### Detection & Response
- Detection: Customer concern over exposed sensitive information in support tickets alerted the organization over the weekend.
- Response Actions: Palo Alto Networks confirmed the incident, published an advisory, revoked the associated OAuth tokens, and rotated compromised credentials. Drift integrations were disabled across Palo Alto Networks, Salesforce, and Google as a precautionary step.
## Attack Methodology (UNC6395 Activity)
- Initial Access: Compromised OAuth tokens (Supply-chain vector via Salesloft breach).
- Persistence: Not detailed, but implied using the valid OAuth session.
- Privilege Escalation: Not explicitly detailed, but access severity allowed searching sensitive Case and Account records.
- Defense Evasion: Attackers deleted query logs to hide evidence of their extraction jobs (anti-forensics). They used Tor to obfuscate their origin.
- Credential Access: Active scanning of exfiltrated support ticket data specifically for secrets (AWS keys, cloud secrets, passwords).
- Discovery: Mass exfiltration/querying of Salesforce objects (Account, Contact, Case, Opportunity).
- Lateral Movement: Intent to use stolen credentials to pivot into deeper cloud platforms.
- Collection: Mass exfiltration of Salesforce records, followed by localized scanning of collected plaintext secrets.
- Exfiltration: Mass exfiltration of data volumes from Salesforce objects.
- Impact: Data theft and potential compromise of downstream cloud services via stolen secrets.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Business contact details, internal sales account information, and sensitive support case data (including passwords, IT information, AWS access keys, VPN strings, and SSO logins).
- Operational: Limited to the Salesforce CRM instance; no impact reported on Palo Alto Networks products, systems, or services.
- Reputational: Moderate, as customers reported the exposure prior to official confirmation.
## Indicators of Compromise
- Network Indicators (Defanged): Use of Tor network for obfuscation.
- File Indicators: N/A (Activity largely confined to API/platform interaction).
- Behavioral Indicators: Use of custom tools identified by User-Agent strings: `python-requests/2.32.4`, `Python/3.11`, `aiohttp/3.12.15`, `Salesforce-Multi-Org-Fetcher/1.0`, `Salesforce-CLI/1.0`. Mass data querying in Salesforce logs.
## Response Actions
- Containment: Revocation of compromised OAuth tokens; disabling third-party integrations (Drift).
- Eradication: Rotation of all potentially compromised credentials found within the exfiltrated data, focusing on secrets, keys, and access tokens.
- Recovery: Ensuring integrity of existing data and hardening Salesforce security posture.
## Lessons Learned
- Supply Chain Risk: Authentication tokens obtained through third-party compromise (Salesloft) are a potent attack vector against cloud environments like Salesforce.
- Data Leakage in Support: Customer support tickets represent high-value targets as they frequently contain sensitive operational information, credentials, and secrets.
- Visibility: Attackers actively engaged in anti-forensics (deleting query logs), highlighting the need for robust, centralized, and immutable logging solutions independent of the execution environment.
## Recommendations
- Implement strict MFA and conditional access policies for all connected cloud services, even when tokens are present.
- Enhance data loss prevention (DLP) within customer-facing systems like Salesforce to flag or block support tickets containing high-sensitivity keywords (e.g., "password," "key," "secret").
- Review and minimize the storage of privileged secrets (AWS keys, VPN tokens) within support documentation or non-vaulted systems.
- Conduct regular audits of OAuth application permissions and token lifespans.