Palo Alto Networks, Zscaler Among Victims Of Salesforce Third-Party Breach

The cybersecurity vendors confirmed they were impacted in the attacks involving stolen authentication tokens for Salesloft Drift, a popular third-party Salesforce application.

Palo Alto Networks and Zscaler confirmed they’re among the victims in the campaign targeting theft of Salesforce data through compromising Salesloft Drift, a popular third-party Salesforce application.

The cybersecurity vendors were impacted in the attacks involving stolen authentication tokens for Drift, a sales workflow automation application owned by Salesloft.

In an Aug. 30 advisory, Zscaler disclosed that “unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler” in connection with the campaign.

The breach was limited to “commonly available business contact details” such as names, email addresses, phone numbers and location details, according to Zscaler.

CRN has reached out to Zscaler for further comment.

Palo Alto Networks posted an advisory Tuesday confirming that it was also among the victims of the Salesloft Drift attacks.

“The data involved includes mostly business contact information, internal sales account and basic case data related to our customers,” the company said in the advisory.

In a statement provided to CRN, Palo Alto Networks noted that it was “one of hundreds of customers impacted by the widespread supply chain attack” targeting Salesloft Drift.

Palo Alto Networks added that it disconnected the application from its Salesforce environment after learning of the compromise.

Both Palo Alto Networks and Zscaler said that the attacks only impacted their Salesforce CRM instances and did not affect any of their products, services or other systems.

The campaign was first disclosed by the Google Threat Intelligence Group on Aug. 26. Google itself has been among the victims, the company said, with a threat actor found to have used stolen tokens to “access email from a very small number of Google Workspace accounts” on Aug. 9.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the Google Threat Intelligence Group said in its post. “We recommend organizations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”

The attacks — linked to a threat group tracked by Google threat researchers as UNC6395 — are believed to have taken place between Aug. 8 and Aug. 18, according to the post.

Earlier this year, an unrelated social engineering campaign targeting Salesforce customers impacted numerous companies including Google, Cisco, Workday, Farmers Insurance, Adidas, Allianz Life and Australian airline Qantas, as well as subsidiaries of luxury goods holding company LVMH including Louis Vuitton, Dior and Tiffany & Co.

That campaign had focused on using voice phishing, or vishing, as a tactic to directly compromise customers’ Salesforce instances, according to the Google Threat Intelligence Group.