In August 2025, Palo Alto Networks confirmed that it was impacted by a supply-chain data breach connected to the compromise of Salesloft’s Drift-Salesforce integration. Threat actors exploited stolen OAuth tokens from the third-party integration to access Palo Alto’s Salesforce CRM environment, exfiltrating customer and support case information.
According to the company, no core systems, products, or services were directly affected. The incident was limited to Salesforce data linked to the Drift integration, which Palo Alto has since disabled.
What Happened?
Between August 8 and August 18, 2025, attackers obtained OAuth and refresh tokens from Salesloft’s Drift integration used by Salesforce customers. Using these tokens, the threat actors gained unauthorized access to Salesforce instance belonging to Palo Alto Networks.
Once inside the CRM, the attackers extracted data from key Salesforce objects, including Account, Contact, Case, to collect customer records, business contact details, and support case information. While Palo Alto confirmed that no file attachments or technical support uploads were exfiltrated, the exposed data included textual notes and case details containing potentially sensitive business information.
In response, Palo Alto revoked all compromised tokens, disabled the Drift integration, and began notifying affected customers while continuing to coordinate with Salesforce and incident response partners.
What Was Compromised?
The data stolen during the breach primarily consisted of:
- Customer Account Information – Names, contact details, and associated organization data stored in Salesforce.
- Support Case Details – Textual descriptions, internal notes, and case metadata.
- Sales Opportunity Information – Basic business and engagement data.
No technical attachments, credentials, or internal infrastructure were directly accessed.
How Did It Happen?
The breach was part of a larger OAuth token theft campaign traced to the Salesloft Drift integration. Attackers stole tokens that allowed them to authenticate directly with Salesforce environments without requiring user passwords or MFA.
Once authenticated, the threat actors ran SOQL queries to pull records from various Salesforce objects and extract data at scale. They then searched these datasets for sensitive strings such as AWS access keys, Snowflake tokens, and passwords to identify additional attack opportunities.
The attackers used Tor networks and cloud hosts like AWS and DigitalOcean to conceal their origin and deleted query jobs to reduce detection traces. However, Salesforce logs remained intact, enabling organizations to investigate the breach.
Possible Impacts
The Palo Alto Networks incident highlights how third-party integrations can introduce serious security risks to enterprise environments. Potential impacts include:
- Customer Data Exposure – Leakage of support case content or contact data could reveal sensitive customer communications.
- Supply Chain Risk – The breach underscores the downstream exposure created by interconnected SaaS platforms.
- Reputation Damage – Even limited data exposure can erode customer trust in security-centric companies.
- Compliance and Audit Risk – Possible regulatory scrutiny under data protection laws for exposed customer information.
Lessons Learned
This incident demonstrates the importance of securing non-human identities and machine-to-machine integrations within SaaS ecosystems. Key recommendations include:
- Audit OAuth Integrations Regularly – Review all third-party app permissions and revoke unused tokens.
- Implement Principle of Least Privilege – Limit app access to only necessary Salesforce objects.
- Continuous Token Monitoring – Detect anomalous or mass data queries linked to OAuth apps.
- Secret Scanning in CRM Fields – Identify and remove credentials or tokens stored in Salesforce records.
How NHI Mgmt Group Can Help
Incidents like the Palo Alto Networks breach underscore a critical truth, Non-Human Identities (NHIs) are now at the center of modern cyber risk. OAuth tokens, service accounts, and AI-driven integrations act as trusted entities inside your environment, yet they’re often the weakest link when it comes to visibility and control.
At NHI Mgmt Group, we specialize in helping organizations understand, secure, and govern their non-human identities across cloud, SaaS, and hybrid environments. Our advisory services are grounded in a risk-based methodology that drives measurable improvements in security, operational alignment, and long-term program sustainability.
We also offer the NHI Foundation Level Training Course, the world’s first structured course dedicated to Non-Human Identity Security. This course gives you the knowledge to detect, prevent, and mitigate NHI risks like the one seen in this Salesforce-related breach.
If your organization uses third-party integrations, AI agents, or machine credentials, this training isn’t optional; it’s essential.
Learn more and enroll in the NHI Foundation Level Training Course to build your skills to stay ahead of emerging NHI threats.
Conclusion
The Palo Alto Networks data breach illustrates a growing trend: attackers targeting the trust layer between SaaS integrations rather than breaching core infrastructure directly. As organizations rely more on AI-driven and automated connectors, managing OAuth tokens, API permissions, and app trust boundaries becomes essential.
The lesson is clear, security must extend beyond corporate systems to every connected identity, integration, and AI agent within the enterprise ecosystem.
