Palo Alto Networks, Zscaler Among Victims of Salesforce Hack

Last week, a widespread supply chain attack exposed customers’ contact information through compromised Salesforce credentials linked to compromised OAuth tokens associated with Salesloft Drift, an AI-powered, third-party application that integrates with Salesforce databases for sales workflow automation.

Top security vendors confirm data breach and notify affected customers

Palo Alto Networks and Zscaler have confirmed that they have fallen victim to the data breach.

The threat actor, designated UNC6395, harvested credentials and sensitive data, including AWS keys, Snowflake tokens, and passwords, from Salesforce data between August 8 and 18, 2025.

UNC6395 leveraged legitimate OAuth authentication mechanisms to gain unauthorized access, bypassing traditional security controls, and making detection a challenge.

Salesforce says that after their security teams detected the activity, Salesloft and Salesforce invalidated active Access and Refresh Tokens, as well as removed Drift from AppExchange. The organization then notified affected customers.

Salesforce disables integrations in response to attack

“We’re continuing to work with Salesloft as part of our investigation and provide updates as appropriate, including notifying and supporting affected customers with remediation,” Salesforce said in an informational message.

By revoking all active OAuth tokens associated with the Drift application on August 20, 2025, the attack vector was essentially terminated.

Additionally, on August 28, 2025, Salesforce disabled all integrations between Salesforce and Salesloft technologies, including the Drift app. They have stated that organizations won’t be able to connect to Salesforce via any Salesloft apps until further notice.

“Disabling the connection is a precautionary measure to help safeguard customer environments while we continue to assess and address the situation,” Salesforce said. “We recognize this change may cause disruption and will provide further updates as more information becomes available.”

Zscaler confirms customer data stolen

According to Zscaler, the breach was confined to its Salesforce environment and didn’t affect its core security products, services, or underlying infrastructure.

The compromised data was comprised of commonly available business contact details and Salesforce-specific content, such as:

• Names and business email addresses
• Job titles and phone numbers
• Regional and location details
• Zscaler product licensing and commercial information
• Plain text content from certain support cases (excluding attachments, files, and images)

Zscaler has said that they have not yet found evidence to suggest misuse of this information and will provide further communications and updates should this change.

“Although the incident’s scope remains limited and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance,” Zscaler said in a post. “Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details.”

Palo Alto Networks makes recommendations

Unit 42, a strategic cybersecurity advisor backed by Palo Alto Networks, found that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records.

Following the exfiltration, UNC6395 appeared to scan the acquired data for credentials with the intention of facilitating further attacks or expanding its access.

Unit 42 also made recommendations for organizations that utilize the Salesloft Drift integration with Salesforce, beyond the proactive steps Salesloft took, such as the token revocation. These include:

• Immediate investigation and log review:
  • Drift API Integrations: Thoroughly review all Drift integrations and review all authentication activity within third-party systems for signs of suspicious connections, credential harvesting, and data exfiltration. 
  • Salesforce Logs: Thoroughly review Salesforce login history, audit trails, and API access logs for the period of August 8 to present.
  • Identity Provider Logs: Review logs from your Identity Provider for any unusual authentication attempts or successful logins to Salesforce or other integrated applications during the incident period.
  • Network Logs: Analyze network flow logs and proxy logs for connections to Salesforce from suspicious IPs or unusual data transfer volumes.
• Review and rotate exposed credentials:
  • Automated tools: Utilize automated tools to scan for secrets and hardcoded credentials within code repositories, configuration files, or any potential exfiltrated data.
  • Data scrutiny: If exfiltration is confirmed or suspected, review data for the presence of sensitive credentials.
  • Immediate Rotation: Rotate all credentials identified as exposed within the exfiltrated data, including Salesforce API keys, connected app credentials, and any other system credentials found within the compromised data.

In the AI era, endpoint security for MSPs has played an increasingly important role in staying ahead of the evolving threat landscape. Read more about Blackpoint Cyber and NinjaOne’s partnership to unify MDR and endpoint management.