Last month, hackers targeted Salesloft Drift, an AI chatbot service used for sales and customer engagement. The hackers were able to get into customer systems by using stolen OAuth tokens, which act as authentication keys, granting them access to connected Salesforce instances without needing a password.
Salesloft detected the issue by August 20, leading to a scramble to disable the compromised tokens. Drift is used by thousands of companies for sales and customer service, so as you can imagine, the fallout affected major players like Zscaler and now Palo Alto Networks.
Bleeping Computer says it heard of the breach from concerned Palo Alto Networks customers over the weekend who feared sensitive information from support cases had been exposed. The company claimed that its Salesforce CRM was the only thing hit, and that it "contained the incident" quickly:
Palo Alto Networks confirms that it was one of hundreds of customers impacted by the widespread supply chain attack targeting the Salesloft Drift application that exposed Salesforce data.
We quickly contained the incident and disabled the application from our Salesforce environment. Our Unit 42 investigation confirms that this situation did not affect any Palo Alto Networks products, systems, or services.
The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers.
The attackers, in classic hacker fashion, searched for things like VPN and SSO login strings, Snowflake tokens, and AWS access keys. They even used simple keywords like "password" and "secret".
To cover their tracks, the attackers tried to hide behind the Tor network and deleted logs of their activity. Palo Alto Networks assures customers that the compromised tokens have been revoked and the credentials have been rotated.
The company does recommend, with what it calls "immediate urgency," that Drift customers should check their own systems.
The suggested actions include investigating Salesforce and network logs for any sign of compromise, revoking and rotating all authentication keys, and scanning code repos for any embedded secrets.
You can check out this brief from Palo Alto Networks to learn more.