Article Details

Stolen OAuth tokens expose Palo Alto customer data. Security firm's Salesforce instance accessed using credentials stolen from Salesloft's Drift platform breach. Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. Marc Benoit, chief information security officer at PAN, confirmed in a note to clients - seen by The Register - that it was informed on August 25 that the “compromise of a third-party application, Salesloft’s Drift, resulted in the access and exfiltration of data stored in our Salesforce environment.” It immediately disconnected the third-party application from its Salesforce CRM, he said. “The investigation [by the Unit42 team] confirms that the event was isolated to our Salesforce environment and did not affect any Palo Alto Networks products, systems or services.” Benoit said it “further confirmed that the data involved includes primarily customer business contact information, such as names and contact info, company attributes, and basic customer support case information. It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration.” All PAN products and services “remain secure, fully operational, and safe to use,” he added. “We take this incident seriously, and beyond this notification, we are reaching out to a limited number of customers who may have had commercially sensitive data exposed." The Unit42 team within PAN are still combing through things, “conducting enhanced, continuous monitoring of our systems and the dark web for any potential exposure or misuse of the exfiltrated data.” The breach of the Drift application has led to supply chain attacks at “hundreds” of organizations, including PAN, said Benoit in a blog post. He said the “incident” was “isolated to our CRM platform.” Google said last week that it didn’t have enough signs to confirm that the recent spate of Salesforce data thefts claimed by ShinyHunters on Google itself, Workday, Allianz, Quantas and LVMH brand Dior were connected to the same group that masterminded the Salesloft attack. The Unit42 team at PAN advised organizations to monitor Salesforce and Salesloft updates, and take steps such as token revocation to secure platforms. It recommends conducting a review of all Drift integrations and all authentication activity with third-party systems for evidence of “suspicious connections, credential harvesting and data exfiltration.” Unit42 also recommends that you probe your Salesforce log-in history, audit trail, and API access logs from August 8 - when Salesloft says attackers first used “OAuth credentials to exfiltrate data from our customers’ Salesforce instances” - to the present day. It also advises combing over Identity Provider Logs and Network Logs.