Palo Alto Networks and Zscaler are among the organizations that have been hit by a widespread authentication token theft campaign that targeted Salesforce instances via the Salesloft Drift third-party AI chat agent platform.
Salesloft reported the incident on Aug. 20 and said it “proactively revoked connections between Drift and Salesforce” and asked Drift admins to re-authenticate Salesforce connections.
In a subsequent update, Salesloft said that between August 8 and August 18, “a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances.”
The threat actor – identified by Google as UNC6395 – focused on stealing credentials, targeting “sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.”
The incident was limited to customers using the Drift-Salesforce integration and appears to have been stopped, the company said. Salesloft has recommended that Drift customers who manage their own Drift connections to third-party applications via API key revoke the existing key and reconnect using a new API key. OAuth applications are being addressed directly by Salesloft.
The Salesloft incident coincides with the release of new Cyble data that found that software supply chain attacks have doubled in recent months.
Palo Alto Networks, Zscaler Among Salesloft Victims
According to Google threat intelligence, which along with Coalition was engaged to help address the incident, UNC6395 used compromised OAuth tokens associated with Salesloft Drift and “systematically exported large volumes of data from numerous corporate Salesforce instances.”
The group then searched through the data “to look for secrets that could be potentially used to compromise victim environments,” such as AWS access keys, passwords, and Snowflake-related access tokens.
Google said the incident also affected “a very small number of Google Workspace accounts” that were specifically configured to integrate with Salesloft Drift, as the threat actors also compromised OAuth tokens for the Drift Email integration.
The incident did not stem from a vulnerability within the core Salesforce platform, both Google and Salesloft noted. Salesforce removed the Drift application from the Salesforce AppExchange pending further investigation, and Google disabled the integration between Google Workspace and Salesloft Drift pending further investigation.
In an announcement today, Palo Alto Networks said it was one of “hundreds of organizations” affected by the supply chain attack.
“Our investigation confirms the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational,” Palo Alto said. “The data involved includes mostly business contact information, internal sales account and basic case data related to our customers. We take this incident seriously and are reaching out to a limited number of customers that have potentially more sensitive data exposed.”
Zscaler announced on Aug. 30 that it had been affected by the attack, noting that the credentials “allowed limited access to some Zscaler Salesforce information,” such as contact and licensing information.
“After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information,” the company said.
Salesloft Incident Comes Amid Rising Supply Chain Attacks
Cyble reported this week that supply chain attacks have doubled since April 2025, averaging 26 attacks per month, twice their rate from early 2024 through March 2025. Mass exploitation of zero days and unpatched vulnerabilities have been one of the reasons behind the increase in supply chain attacks, Cyble said.
One ransomware group recently claimed that an attack had yielded data on 41,000 customers of a company, showing the potential reach of such attacks.
While such attacks overwhelmingly hit IT and IT services companies, Cyble documented 20 other industries that have been hit by supply chain attacks this year.
Cyble recommended a number of steps for organizations to protect themselves from supply chain attacks, including security audits, assessing third-party risk, and practices such as network microsegmentation and strong access controls that can limit the extent of attacks.
