Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Stolen OAuth Tokens Expose Palo Alto Customer Data

Attackers used voice phishing to link malicious OAuth apps to Salesforce, stealing tokens and exposing sensitive data from over 700 organizations, including major global companies, in August 2025.

  • On August 26, Salesloft said attackers used compromised OAuth credentials to exfiltrate Salesforce data from August 8 to August 18, 2025, exploiting the Salesloft Drift integration.
  • Security teams say the attackers relied on voice phishing and social engineering to trick employees who handled OAuth app links into installing malicious apps on Salesforce this year.
  • Analysts warn attackers sought customer contact data and support-case content, while specifically harvesting AWS access keys and Snowflake tokens for further misuse.
  • Salesloft revoked the tokens on August 20, but damage was underway; Salesforce and Google disabled Salesloft Drift integrations while over 700 customers audit and rotate credentials en masse.
  • Google Threat Intelligence Group identified UNC6395 and warned last week that the campaign extended beyond Salesforce-Drift, with experts urging stronger authentication like short-lived tokens or hardware-based security for AI-vendor integrations.
Insights by Ground AI
Does this summary seem wrong?

12 Articles

The RegisterThe Register
Center

Stolen OAuth tokens expose Palo Alto customer data

: Security firm's Salesforce instance accessed using credentials stolen from Salesloft's Drift platform breach

Read Full Article
Cybersecurity DiveCybersecurity Dive
Center

Palo Alto Networks, Zscaler customers impacted by supply chain attacks

A hacking campaign using credentials linked to Salesloft Drift has impacted a growing number of companies, including downstream customers of leading cybersecurity firms.

Read Full Article
BleepingComputerBleepingComputer
Center

Zscaler data breach exposes customer info after Salesloft Drift compromise

Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases.

Read Full Article
cybernoz.comcybernoz.com

Palo Alto Networks, Zscaler Customers Impacted By Supply Chain Attacks - Cybernoz - Cybersecurity News

Palo Alto Networks on Tuesday said it has been impacted by the Salesloft Drift supply chain incident that gave hackers access to downstream customer Salesforce data.  In a blog post released Tuesday, Palo Alto Networks said the breach was limited to its customer relationship management platform and that most of the information involves business contact information, internal sales account and basic case data.  “We quickly contained the incident a…

Read Full Article
IT PROIT PRO

The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacks

Cloud security firm Zscaler is latest organization to disclose that it's been hit by a data breach linked to the recent Salesloft Drift attacks.

Read Full Article
Help Net SecurityHelp Net Security

Zscaler, Palo Alto Networks, SpyCloud among the affected by Salesloft breach - Help Net Security

Zscaler, Palo Alto Networks, PagerDuty, Tanium, and SpyCloud say their Salesforce instances were accessed following the Salesloft breach.

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 100% of the sources are Center
100% Center

Factuality 

To view factuality data please Upgrade to Premium

Ownership

To view ownership data please Upgrade to Vantage

Heise broke the news in Germany on Monday, September 1, 2025.
Sources are mostly out of (0)

Similar News Topics

Google icon

Google

Salesforce icon

Salesforce

Cyber Security icon

Cyber Security

Artificial Intelligence icon

Artificial Intelligence

News
For You
SearchBlindspotLocal