Palo Alto Networks also targeted during Salesforce data heist

Palo Alto Networks (PAN), the largest cybersecurity company by market capitalization, will be disclosing a data breach that exposed customer data and support cases, BleepingComputer reports.

PAN confirmed that it was one of hundreds of companies impacted by widespread supply chain cyberattacks targeting Salesforce instances via compromised access tokens from SalesLoft Drift, an AI-powered marketing platform.

BleepingComputer was the first to report that hackers may have obtained sensitive information, such as IT information and passwords shared in support tickets.

PAN claimed that the incident was quickly contained, the Drift app was disabled from their environment, and the situation did not affect PAN’s products, systems, or services. The company would notify any impacted customers.

According to PAN’s letter to customers, the affected data includes primarily customer business contact information, such as names and contact info, company attributes, and basic customer support case information.

“It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration,” the letter reads.

ShinyHunters and other hacking groups that believe they’re “invincible” are claiming responsibility for the attack that impacted Google, Victoria's Secret, Zscaler, TransUnion, Farmers Insurance, Air France, KLM, major telecoms, and many other companies.

PAN hasn’t yet released any official statement or information to investors, which is a requirement when cybersecurity incidents are material. Cybernews has reached out to PAN for a comment and will include its response.

However, on Tuesday, PAN’s cyber threat intelligence team, Unit 42, released an urgent cybersecurity advisory warning that the threat actor had mass-exfiltrated sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records.

“Organizations that utilize the Salesloft Drift integration with Salesforce should treat this incident with immediate urgency,” PAN writes.

The network defenders urge companies to immediately investigate their Drift API integrations, review all authentication activity, Salesforce login logs, and other data for suspicious activity, and rotate all potentially exposed credentials.

“This includes, but is not limited to, Salesforce API keys, connected app credentials, and any other system credentials found within the compromised data,” PAN said.

“Organizations should be wary of social engineering attempts resulting from this or any other data exfiltration event.”

The massive hacking spree began on August 8th and continued until at least August 18th, 2025, targeting dozens of companies that used Salesforce and Drift integrations.

Hackers scanned instances for Google Cloud Platform service account keys, Amazon Web Services (AWS) access keys, passwords, Snowflake-related access tokens, and any other credentials.

Google warned that organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and should review and rotate any authentication tokens and credentials stored in their Salesforce instances.

Salesforce said it has disabled all integrations between Salesforce and Salesloft technologies, including the Drift app, until further notice, as the team continues its investigation.