Palo Alto Networks Breach: Lessons from the Salesloft Drift Supply-Chain Attack

In August 2025, Palo Alto Networks confirmed a data breach linked to the Salesloft Drift compromise, part of a supply-chain attack tracked as UNC6395. Attackers exploited stolen OAuth tokens to infiltrate Salesforce environments and exfiltrate sensitive records, including accounts, contacts, cases, and opportunities.

Other high-profile organizations, including Google and Zscaler, also reported exposure, underscoring the widespread risks tied to third-party SaaS integrations.

What Is OAuth and Why Does It Matter?

OAuth (Open Authorization) is an open standard that allows applications to access resources on behalf of a user without sharing passwords.

Example: When a company connects Salesforce to a third-party tool like Salesloft or Drift, OAuth tokens are issued.

These tokens act like digital keys; they grant limited access (such as reading Salesforce objects) without exposing credentials.

While OAuth enables seamless workflows, it also expands the attack surface. If attackers steal a token, they can impersonate the legitimate application and gain privileged access, just as seen in this breach.

What Was the Process of Exploit?

• Token Theft: Attackers stole OAuth tokens tied to the Drift-Salesforce integration.
• Data Access: Using these tokens, they exported Salesforce records containing sensitive business information.
• Credential Mining: The stolen data was searched for AWS keys, Snowflake tokens, and other secrets to expand access.
• Forensic Evasion: Logs of malicious queries were deleted to cover tracks.
• Wider Impact: Beyond Salesforce, Google confirmed exposure of Google Workspace data via OAuth misuse.

What Was Lacking That Led to the Exploit?

• Long-lived OAuth tokens with excessive privileges.
• Weak lifecycle management (infrequent rotation/revocation).
• Insufficient API anomaly detection to catch large-scale data exports.
• Lack of integration segmentation, which allowed lateral exploration.

Industry Statistics

• According to IBM’s 2025 Cost of a Data Breach Report, the average global breach cost has risen to $4.67 million.
• Verizon DBIR 2025 notes that 62% of breaches involve third-party or supply-chain components, making them one of the fastest-growing threat vectors.
• Supply-chain attacks surged by 235% between 2020 and 2024 (ENISA Threat Landscape Report), driven by SaaS and API integrations.

How Organizations Can Prevent Such Attacks

• Manage OAuth Tokens Rigorously
  • Rotate/revoke tokens regularly.
  • Require re-authentication for high-privilege apps.
• Limit Privileges
  • Apply least privilege to integrations.
  • Use segmentation to isolate third-party apps.
• Monitor & Detect Abnormal Behavior
  • Flag unusual API queries or large exports.
  • Track token usage patterns continuously.
• Incident Response Preparedness
  • Automate token revocation.
  • Preserve logs and rotate credentials promptly.
• Vendor & SaaS Risk Audits
  • Review third-party connections quarterly.
  • Remove unused or risky integrations.

Where Tachyon Security Comes In

At Tachyon Security, we help organizations:

• Identify risky SaaS integrations,
• Monitor OAuth usage, and
• Respond rapidly to suspicious activity.

Our goal is simple: reduce your exposure to supply-chain and SaaS integration risks.

Conclusion

The Palo Alto Networks breach highlights the evolving cyber battleground where attackers increasingly exploit trusted integrations and tokenized access rather than traditional credential theft. While no defense is absolute, organizations that enforce strict OAuth management, continuous monitoring, and proactive vendor risk controls are far better positioned to withstand such attacks.