US EditionPalo Alto Investigates Data Theft After Hackers Exploit Stolen OAuth Tokens - Palo Alto Networks (NASDAQ:PANW)
Threat actor UNC6395 exploited stolen OAuth tokens from Salesloft Drift to access Salesforce data across hundreds of organizations, exposing sensitive credentials and customer information.
- Between Aug. 8 and Aug. 18, Salesloft's Drift application suffered an intrusion affecting OAuth credentials, and Palo Alto Networks and Zscaler confirmed they were among hundreds impacted via Salesforce.
- Google Threat Intelligence traced the activity to UNC6395, which used compromised OAuth tokens tied to Salesloft Drift to harvest AWS access keys and Snowflake-related access tokens from Salesforce data on Tuesday.
- Cloudflare said its review found 104 Cloudflare API tokens and that exfiltrated data mainly included Salesforce case objects with support-ticket text and configuration details, not attachments.
- Companies disabled the Drift integration, revoked OAuth tokens, and notified exposed customers directly, while Cloudflare urged credential rotations, saying it's "strongly urge you to rotate any credentials that you may have shared with us through this channel."
- Cyble reported supply-chain attacks have doubled in recent months, and last week TransUnion disclosed a Salesforce-related incident exposing data of 4.4 million customers.
16 Articles
16 Articles
Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler
Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler. Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations. Sal…
Palo Alto Investigates Data Theft After Hackers Exploit Stolen OAuth Tokens - Palo Alto Networks (NASDAQ:PANW)
Palo Alto Networks (NASDAQ:PANW) confirmed a data breach after attackers used stolen OAuth tokens from the Salesloft Drift compromise to access its Salesforce Inc (NYSE:CRM) system. PANW is trading near recent highs. See what is driving the move here. The attackers exfiltrated business contact details, sales records and support case comments but did not compromise any products, services, or internal systems. The breach was part of a larger suppl…
Cloudflare Data Breach Impacts 104 Cloudflare API tokens
20th August 2025 Cloudflare Data Breach Impacts 104 Cloudflare API tokens A data breach has been reported at Cloudflare, which is part of a larger supply-chain attack involving the marketing software Salesloft Drift. Attackers accessed Cloudflare’s Salesforce instance, used for customer support, and stole 104 Cloudflare API tokens and text-based customer support data. The breach occurred between August 12 and August 17, and the stolen informatio…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
