Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 

• Expanding compromise: A Palo Alto Networks data breach has been confirmed in relation to the Salesforce security incident.
• What was impacted: Palo Alto business contact information, internal sales account records, and basic support case data were affected.
• Cloudflare data breach: Cloudflare’s Salesforce case objects were also compromised, which primarily include customer support ticket details.

Palo Alto Networks and Cloudflare confirmed that they experienced a data breach after threat actors exploited stolen OAuth authentication tokens from the widespread Salesloft supply chain attack to infiltrate the companies' Salesforce CRM environments and extract sensitive customer information.

Data Exposure Scope and Impact Assessment

The breach primarily affected business contact information, internal sales account records, and basic support case data within Palo Alto Networks' Salesforce environment. Critically, the company confirmed that no product systems, core services, or technical support attachments were compromised during the incident.

However, the Salesforce data theft operation specifically targeted support cases to identify authentication credentials and cloud secrets that could facilitate lateral movement into additional cloud infrastructure. 

Cloudflare’s investigation revealed that hackers compromised the company’s Salesforce tenant and stole data between August 12 and 17, following initial reconnaissance observed on August 9, 2025. 

The exposure was limited to Salesforce case objects, primarily consisting of customer support tickets and their associated data, such as customer contact information related to the case and correspondence subject and body. “Anything shared through this channel should now be considered compromised,” Cloudflare said.

A Salesloft update announced that Drift will be “taken offline in the very near future.”

This methodology aligns with the broader campaign's objective of credential harvesting for subsequent extortion attacks.

Attack Vector and Technical Analysis

The cybersecurity incident originated from compromised OAuth tokens obtained through the Salesloft Drift application breach, enabling unauthorized access to Salesforce instances across multiple organizations. 

Threat actors, tracked as UNC6395 by Google's Threat Intelligence team (TIG), executed automated data exfiltration operations targeting critical Salesforce objects. Technical forensics revealed that the attackers employed custom Python tools with specific user-agent strings. 

The threat actors systematically searched for high-value credentials, including AWS access keys (AKIA), Snowflake tokens, VPN authentication strings, and generic security identifiers containing keywords such as "password," "secret," or "key."

Supply Chain Attack Implications

The incident demonstrates the cascading effects of supply chain compromises, as the Salesloft Drift breach has impacted numerous high-profile organizations, including Zscaler, Google, and multiple Fortune 500 companies. 

The threat actors employed anti-forensics techniques, including query deletion and Tor network obfuscation, to evade detection and maintain persistent access, reports say.

Palo Alto Networks has implemented comprehensive remediation measures, and Cloudflare launched a company-wide Security Incident Response.

This disclosure comes after Google recently clarified that the compromise is not limited to the Salesforce integration and that all authentication tokens stored in or connected to the Drift platform are potentially compromised. 

Hackers allegedly from Scattered Spider, LapSus, and Shiny Hunters threatened Google with a data breach unless the tech giant fired prominent TIG and Mandiant employees.

The recent wave of Salesforce-related breaches has been attributed to  Scattered Spider (UNC3944)  and ShinyHunters (UNC6040), according to Google. The breach was also claimed by ShinyHunters ransomware. In June, Google reported that ShinyHunters targeted Salesforce via phishing.

Related

Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act

Hackers Threaten Google with Data Breach Unless TIG and Mandiant Employees Are Fired

China's Victory Day Parade Will Unveil an Advanced Military Arsenal

Austria's Interior Ministry Hit by Sophisticated State-Level Cyberattack Affecting Emails

Lazarus Subgroup Deploys Three Advanced RATs in Cryptocurrency and Financial Sector Attacks

ChatGPT Conversations May Be Reviewed and Sent to Police If Deemed ‘Dangerous’

Your Weekly Cybersecurity Briefing

Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.

Subscribe for Free

Please enter a valid email address.

Most Popular

Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act

ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans

IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!

Hackers Threaten Google with Data Breach Unless TIG and Mandiant Employees Are Fired

China's Victory Day Parade Will Unveil an Advanced Military Arsenal

Austria's Interior Ministry Hit by Sophisticated State-Level Cyberattack Affecting Emails

Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act

ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans

IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!

Hackers Threaten Google with Data Breach Unless TIG and Mandiant Employees Are Fired

China's Victory Day Parade Will Unveil an Advanced Military Arsenal

Austria's Interior Ministry Hit by Sophisticated State-Level Cyberattack Affecting Emails