Palo Alto Networks Data Breach (2025)

"Palo Alto Networks hit by Drift-linked supply-chain attack, exposing Salesforce customer data and support cases via stolen OAuth tokens. Palo Alto Networks is another victim of the Salesloft Drift incident, which allowed attackers to access its Salesforce account, as per BleepingComputer. The company discloses a breach after attackers used stolen OAuth tokens from Salesloft Drift, the exposed information includes customer data and support cases. The company is among hundreds hit in the supply-chain attack, with leaked info potentially including IT details and passwords from support tickets. Unit42 researchers who are investigating the supply chain attack, pointed out that threat actors mass-exfiltrated Salesforce data (accounts, contacts, cases, opportunities), scanned for credentials, and hid traces. “Our observations indicate that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records. Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access. We have observed that the threat actor deleted queries to hide evidence of the jobs they run, likely as an anti-forensics technique.” reads the report published by Palo Alto Networks."