An important supply chain incident has rocked the security industry by showing us that some of the biggest security enterprises are also threatened by the risk of third-party SaaS product integrations.<\/p>\n\n\n\n
The incident,<\/em><\/strong> involving Salesloft Drift, a marketing automation solution integrated with Salesforce, resulted in the threat actor getting OAuth tokens.<\/p>\n\n\n\n These tokens allowed them to exfiltrate massive volumes of sensitive data about customers, including account records, case information, and contact data.<\/p>\n\n\n\n Some recent victims of the incident were considerable companies<\/strong>; Zscaler and Palo Alto Networks, which are two of the world’s leading cybersecurity organizations that enterprises rely on to protect their systems around the world.<\/p>\n\n\n\n When considered as a supply chain incident, this episode highlights the growing risks of the interconnectedness of SaaS applications and services, where if one application is compromised, it could affect many hundreds of organizations.<\/p>\n\n\n\n Between August 8 – 18, 2025<\/strong>, threat actor UNC6395 exploited the Salesloft Drift Salesforce integration. By stealing OAuth and refresh tokens associated with compromised accounts, the threat actor had persistent access to the victim’s Salesforce environment at the API level.<\/p>\n\n\n\n They were able to exfiltrate a large volume of sensitive data, including account records, cases, and contacts, using the stolen tokens.<\/p>\n\n\n\n Google Threat Intelligence Group (GTIG) and Mandiant confirmed<\/em><\/strong> the scale of the campaign and told all Drift users that they should treat any tokens issued from Drift as vulnerable.<\/p>\n\n\n\n Part of the severity of the risk assessment was based upon Salesforce’s decision to temporarily disable all Salesloft integrations until the investigation could continue without jeopardizing further customer exploits.<\/p>\n\n\n\n Palo Alto Networks confirmed that the breach was isolated to its CRM platform. Exposed data included:<\/strong><\/p>\n\n\n\n The organization highlighted that its products, services, or systems were not compromised. Palo Alto’s threat intelligence team, Unit 42, provided further detail, finding that attackers had scanned the stolen data for credentials and had used anti-forensics techniques to try to cover their traces (e.g., deleting queries).<\/p>\n\n\n\n Palo Alto is directly notifying customers that this incident may have affected them and, importantly, noting that the risk may be greater for customers who had stored sensitive credentials in Salesforce case notes.<\/p>\n\n\n\n Zscaler disclosed on August 30 that it, too, was impacted by the Drift compromise. Attackers were able to access Salesforce data that included:<\/strong><\/p>\n\n\n\n CISO Sam Curry stated that <\/em><\/strong>Zscaler’s products and infrastructure were not compromised, but that many customers were impacted. Zscaler characterized its disclosure as a matter of transparency and encouraged customers to stay alert for any potential misuse.<\/p>\n\n\n\n While not included in every report, Cloudflare also confirmed exposure<\/em><\/strong> and came off with a vastly different and notably transparent response. Rather than Palo Alto and Zscaler emphasizing isolation from core systems, Cloudflare took accountability for using third-party tools.<\/p>\n\n\n\n The company admitted openly that<\/em><\/strong> it could be at risk for customer logs, tokens, and even passwords shared through Salesforce support tickets. Experts commended this transparency and noted that <\/em><\/strong>this was the model of accountability in response to a breach.<\/p>\n\n\n\n Recommended:<\/strong> GitHub Supply Chain Attack: CVE-2025-30066 and CVE-2025-30154 Expose Secrets Across 218 Repositories<\/a><\/p>\n\n\n\n Industry experts provided broader implications:<\/strong><\/p>\n\n\n\n Although the vendors demonstrated a limited scope of customers they support, the risks to end customers are far more severe:<\/p>\n\n\n\n As Forrester\u2019s Harrington said<\/strong>, the hard work is just beginning: customers will need to sift through their records to understand what they have been exposed to, and then prepare for follow-on attacks.<\/p>\n\n\n\n Security teams should act now to mitigate consequences:<\/p>\n\n\n\n This incident reveals a disturbing truth: cybersecurity firms are at risk when their SaaS ecosystems are breached. It demonstrates:<\/strong><\/p>\n\n\n\n Breaches like the Salesloft Drift breach demonstrate exactly why enterprises need to bolster their supply chain security. A few simple steps can make a difference:<\/strong><\/p>\n\n\n\n To strengthen software integrity across the supply chain, enterprises can also implement DigiCert Software Trust Manager<\/a>, which provides visibility and control to protect code signing keys, identities, and policies in a centralized platform.<\/p>\n\n\n\n This is to ensure only trusted software is signed and distributed, which addresses one of the most common attack points in supply chain compromises.<\/p>\n","protected":false},"excerpt":{"rendered":"<\/a>The Attack: What happened<\/h2>\n\n\n\n
<\/a>Impact on Palo Alto Networks<\/h2>\n\n\n\n
\n
<\/a>Impact on Zscaler<\/h2>\n\n\n\n
\n
<\/a>Cloudflare’s Contrasting Response<\/h2>\n\n\n\n
<\/a>Expert Reactions<\/h2>\n\n\n\n
\n
<\/a>Risks to Customers<\/h2>\n\n\n\n
\n
<\/a>Defensive Measures<\/h2>\n\n\n\n
\n
<\/a>Broader Implications for SaaS Security<\/h2>\n\n\n\n
\n
How to Protect Against Supply Chain Attacks?<\/h2>\n\n\n\n
\n