Palo Alto Networks experienced a data breach due to attackers exploiting compromised OAuth tokens from the Salesloft Drift breach to access Salesforce data, affecting sensitive customer information. The incident is part of a larger supply-chain attack impacting various companies, with threat actors mainly targeting support case data and exfiltrating credentials for further malicious activity. #Salesloft #OAuthTokens
Keypoints
- The breach was caused by abuse of compromised OAuth tokens from the Salesloft Drift attack.
- Palo Alto Networks confirmed that only its Salesforce CRM was affected, not its products or systems.
- Threat actors exfiltrated support case data containing contact info and internal business records.
- The attackers searched for secrets like AWS keys, Snowflake tokens, VPN, and SSO credentials to facilitate further breaches.
- Palo Alto Networks recommends immediate actions such as log review, credential rotation, and security scans for affected organizations.