Palo Alto Networks, Zscaler and PagerDuty Hit in Salesforce Linked Data Breaches

Hackers exploited the Salesloft Drift app to steal OAuth tokens and access Salesforce data, exposing customer details at major tech firms.

In a large-scale cyberattack, a hacking group has stolen sensitive customer information from numerous companies, including prominent cybersecurity and technology firms like Palo Alto Networks, Zscaler and PagerDuty.

The attack did not directly target these companies’ main systems but instead exploited a vulnerability in a widely used third-party sales and marketing application called Salesloft Drift.

****The Supply Chain Breach****

The cyberattack, carried out by a group tracked as UNC6395, was a classic “supply chain” breach. It targeted Salesloft Drift, which is a “marketing software-as-a-service” used by companies for automating sales workflows. The attackers stole digital keys, known as OAuth tokens, that allow the app to connect to other services. Using these stolen keys, the hackers gained unauthorised access to the Salesforce accounts of hundreds of companies.

PagerDuty’s public report provides a timeline of the event, stating the company was first notified of the issue on August 20, 2025. Three days later, on August 23rd, they learned that the attackers had potentially accessed their Salesforce data. The exposed information from both PagerDuty and Zscaler included business contact details such as names, email addresses, job titles, and phone numbers.

****Zscaler’s Response****

In their official blog, Zscaler confirmed that the breach was “confined to Salesforce” and did not affect any of its core products, services, or infrastructure. The company also detailed the strong measures it took to respond, including launching a “third-party risk management investigation” and strengthening “customer authentication protocol” for support calls. Zscaler advised customers that “no evidence of misuse has been found, we recommend that customers maintain heightened vigilance” for potential phishing attempts.

PagerDuty echoed these points in its own statement, confirming that it has “not seen any indication that access to the PagerDuty platform or any other internal systems or resources beyond Salesforce may have occurred.” To reassure customers, PagerDuty also added that it “will never contact anyone by phone to request a password or any other secure details.”

****Palo Alto Networks’ Response****

Palo Alto Networks confirmed that one of its Salesforce instances was compromised through a third-party integration with Salesloft and Drift. The company immediately disabled the integration, worked with Salesforce and Salesloft to investigate, and revoked the affected OAuth tokens.

According to its statement, the incident was limited to business contact details, sales account records, and case metadata, with no impact on its security products or customer networks. Palo Alto Networks also notified customers whose information may have been exposed and said it is reviewing internal safeguards to prevent similar issues in the future.

Notification sent by Palo Alto Networks to impacted customers (Image via LinkedIn)

This attack appears to be part of a wider wave of breaches targeting Salesforce databases. Credit reporting agency TransUnion recently disclosed that a cyberattack on a third-party application, possibly related to Salesforce, exposed the personal information of 4.4 million US consumers, including Social Security numbers.

These incidents show the widespread risk of relying on third-party applications. Security firms, including Google’s Threat Intelligence Group, continue to investigate the full extent of this widespread and highly organised data theft.