Palo Alto Networks has confirmed it was one of several companies impacted by the ongoing Salesloft Drift supply-chain attack, in which attackers used stolen OAuth tokens to infiltrate its Salesforce environment. The breach resulted in the exposure of customer contact data, internal account records, and comments from support cases, though no Palo Alto Networks products, infrastructure, or core systems were directly compromised.
The campaign, tracked by Google Threat Intelligence as UNC6395, showcases advanced techniques targeting cloud environments and SaaS ecosystems. Attackers leveraged OAuth tokens stolen from the Salesloft Drift application to gain privileged access to Salesforce instances, where they performed mass data exfiltration.
Using custom-built Python tools—identified through user-agent strings such as python-requests/2.32.4 and Salesforce-Multi-Org-Fetcher/1.0—the attackers extracted information from multiple Salesforce objects, including Account, Contact, Case, and Opportunity records. Investigators noted:
- Systematic scanning of stolen data for credentials and secrets, such as AWS access keys, Snowflake tokens, VPN credentials, and SSO login details.
- Use of Tor networks to hide operational origins and hinder attribution.
- Anti-forensic techniques, such as deleting query logs, to obscure their activity within Salesforce environments.
The scope of this campaign extends far beyond Palo Alto Networks. Google, Cisco, Zscaler, and multiple Fortune 500 companies have reported similar breaches, making this a wide-reaching supply-chain compromise that highlights how interconnected SaaS tools create a single point of failure for enterprise security.
Although Palo Alto Networks contained the attack quickly, the breach highlights deeper challenges organizations face when securing SaaS ecosystems. Even without a direct compromise of internal infrastructure, the exposure of customer data—particularly information shared through support cases—can erode trust and damage relationships. For enterprise customers, who often include sensitive technical details in these interactions, this kind of breach undermines confidence in a company’s ability to safeguard their data.
The incident also demonstrates the fragility of modern software supply chains. A single weak link, in this case a trusted vendor like Drift, created a cascade of risk across hundreds of organizations. As businesses increasingly depend on third-party SaaS tools, managing vendor risk has become just as critical as strengthening internal security measures.
Regulatory pressure adds another layer of complexity. With frameworks like GDPR, NIS2, and CCPA enforcing strict requirements for data protection and breach reporting, companies must navigate heightened scrutiny following incidents like this. These investigations often lead to additional audits, regulatory filings, and potential fines, further amplifying the cost of a breach.
Addressing a security event of this scale requires considerable operational effort. Security teams must rotate credentials, review logs, and audit integrations across their entire SaaS environment, often diverting time and resources away from innovation and core business priorities. Meanwhile, the stolen data itself poses a lasting risk. Credentials and secrets extracted from Salesforce records can be weaponized in future attacks, allowing threat actors to infiltrate other platforms, steal additional data, and escalate extortion campaigns. This creates a multiplier effect, transforming a single breach into an ongoing security challenge that may persist long after the initial incident.
The fact that attackers were able to infiltrate multiple Fortune 500 companies highlights the high stakes of SaaS supply-chain security. As more organizations embrace cloud-first strategies, security teams must prioritize visibility, access control, and vendor management to defend against increasingly sophisticated campaigns like UNC6395.
Incidents like this highlight just how quickly a single compromised vendor or integration can cascade across industries, putting sensitive customer data and business operations at risk. As organizations adopt more cloud-based tools and SaaS platforms, the attack surface becomes increasingly complex, demanding not just reactive measures but a proactive, risk-driven approach to security. At CyberXperts, we’re committed to helping businesses build resilience against threats like UNC6395 by strengthening visibility, reducing supply-chain exposure, and ensuring that security keeps pace with innovation.
