{"id":4657,"date":"2025-09-03T01:15:20","date_gmt":"2025-09-03T01:15:20","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4657"},"modified":"2025-09-03T01:15:20","modified_gmt":"2025-09-03T01:15:20","slug":"palo-alto-networks-zscaler-cloudflare-hit-by-the-latest-data-breach","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4657","title":{"rendered":"Palo Alto Networks, Zscaler, Cloudflare hit by the latest data breach"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When three prominent vendors, Palo Alto Networks, ZScaler, and Cloudflare, announced on Tuesday that they were hit by a cyber attack targeting Salesloft Drift<\/a>, it was a stark reminder that today\u2019s interconnected enterprise environment means that one vendor\u2019s security hole can hurt users globally.<\/p>\n

Palo Alto\u2019s Tuesday statement<\/a> said, \u201cthis supply chain attack impacted hundreds of organizations, including Palo Alto Networks\u201d and that it had confirmed that the incident \u201cwas isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational. The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.\u201d<\/p>\n

However, one detail reported by Palo Alto showed that some end users will be hurt more than others, given their choice to place sensitive data in insecure notes fields within Salesforce.<\/p>\n

\u201cMost of the exfiltrated data was business contact information. However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised,\u201d said a Palo Alto spokesperson in an email to CSO<\/em>, in response to a request for clarification.\u00a0<\/p>\n

\u201cIn the case of Zscaler and Palo Alto, because they sell solutions in the SASE space, their compromise can be particularly problematic since this may end up unfolding into a third-party or even fourth-party compromise,\u201d said Flavio Villanustre<\/a>, SVP and CISO for LexisNexis Risk Solutions. \u201cKeep in mind that they are in the authentication loop for their customers\u2019 secure access. Regarding most incidents affecting Salesforce deployments, they seem to be related to either compromised identities, stolen tokens and open endpoints, so these two may fall under that umbrella.\u201d<\/p>\n

Some customers may have more data exposed<\/h2>\n

Zscaler\u2019s statement was similar and said, \u201cthis incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.\u201d<\/p>\n

Zscaler specified<\/a> the type of information potentially grabbed: names, email addresses, job titles, phone numbers, regional\/location details, Zscaler product licensing and commercial information and \u201cplain text content from certain support cases. This does not<\/em> include attachments, files [or] images.\u201d<\/p>\n

Palo Alto\u2019s threat intelligence arm, Unit 42, issued a separate threat brief that talked in more detail about the attack and recommended defenses.<\/p>\n

\u201cThe threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records. Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access,\u201d the Unit 42 threat brief <\/a>said. \u201cWe have observed that the threat actor deleted queries to hide evidence of the jobs they run, likely as an anti-forensics technique.\u201d It also stressed, \u201cPalo Alto Networks highly recommends rotating credentials and following the [provided] guidance to validate authentication activity for Drift integrations.\u201d<\/p>\n

Defense suggestions<\/h2>\n

Palo Alto suggested that customers \u201cconduct a thorough review of Salesforce login history, audit trails and API access logs for the period of August 8 to present. Specifically, examine Salesforce Event Monitoring logs, if enabled, for unusual activity associated with the Drift connection user and review authentication activity from the Drift Connected App. Look for suspicious login attempts, unusual data access patterns, and the indicators mentioned in the Hunting Guidance section, such as the Python\/3.11 aiohttp\/3.12.15 user agent string and activity from known threat actor IP addresses. Also, review UniqueQuery events that log executed Salesforce Object Query Language (SOQL) queries to identify which Salesforce objects e.g., Account, Contact, Opportunity, Case, etc. and which fields within those objects the attacker queried.\u201d<\/p>\n

The blog post from Cloudflare<\/a> differed markedly from the posts by Palo Alto and Zscaler in that Cloudflare accepted some responsibility for the incident. They also stressed that the breach came from a third party, but Cloudflare took the blame for having enabled the services of that third party.<\/p>\n

\u201cWe are responsible for the choice of tools we use in support of our business,\u201d Cloudflare said. \u201cThis breach has let our customers down. For that, we sincerely apologize.\u201d<\/p>\n

Cloudflare also wrote about the leakage of data that they had never intended to be entered.\u00a0<\/p>\n

\u201cGiven that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system\u2014including logs, tokens or passwords\u2014should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel,\u201d Cloudflare\u2019s blog said.<\/p>\n

Cory Michal<\/a>, CSO at SaaS app security vendor AppOmni, applauded the way Cloudflare described its role.<\/p>\n

\u201cCloudflare\u2019s disclosure of the Salesloft\/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail, but also openly accepts responsibility for the risks posed by third party integrations,\u201d Michal said. \u201cBy committing to strengthen their SaaS environments and toolchain security going forward, Cloudflare demonstrated both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust in the aftermath of supply chain compromises.\u201d<\/p>\n

Revoking OAuth tokens<\/h2>\n

Erik Avakian<\/a>, technical counselor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania, recommended that users should \u201cbe periodically revoking unused OAuth tokens and refreshing them, and enforcing expiration where possible, all of which are practices in line with foundational zero trust principles.\u201d<\/p>\n

\u201cThis incident also highlights why this type of attack demonstrates the rise in SaaS risk. When we\u2019re trusting third-party apps with direct API access, we\u2019re really trusting them to safeguard our auth tokens as carefully as we would our passwords,\u201d Avakian said. \u201cBut if we focus on and employ a zero trust mindset across our environment, we really should be treating third-party applications and SaaS like any other external network.\u201d<\/p>\n

Avakian also recommended \u201cperiodically revisiting third-party contracts to ensure the right level of security language is included in areas including breach notification, right to audit, data handling, and sub-processor transparency, the latter of which will help organizations ensure which subcontractors and sub-processors are part of the overall application landscape.\u201d<\/p>\n

Will Townsend<\/a>, a VP\/principal analyst for Moor Insights & Strategy, said this attack \u201cbegs the question: How was it compromised? It appears to be API level integrations that are difficult to monitor given the enormous number of calls. This incident could serve as a valuable learning moment given the expected interaction of thousands of agents within future agentic AI frameworks. Managing identity and access will become even more challenging in that regard, and I expect API security will keep pace to thwart future attacks.\u201d<\/p>\n

Paddy Harrington<\/a>, a senior analyst with Forrester, described this incident as \u201cjust another OAuth token attack\u201d and it shows \u201cthe dangers that are inherent with the interconnected software supply chain. Not to sound blas\u00e9 about it, but this has happened enough over the years and shown that all it takes is a little misconfiguration and you\u2019re breached.\u201d<\/p>\n

Hardest work just beginning<\/h2>\n

Harrington said the hardest work for CISOs is just beginning.\u00a0<\/p>\n

\u201cSalesforce customers need to be combing through their<\/em> customer records to not only see who was exposed, but what details could have gotten out,\u201d Harrington said. \u201c[Sales] reps may have stored multiple connection types such as secondary email, phone numbers, etc., for contacts so that could lead to a whole lot of phishing\/smishing\/vishing with those business contacts, impersonating someone from the Zscaler, Palo Alto, or the hundreds of others who got breached.\u201d<\/p>\n

Harrington also stressed that upcoming phishing attacks may be more effective than usual.<\/p>\n

\u201cThe social engineering attacks will have more power behind them because it\u2019s not random info they have against the target,\u201d Harrington said. \u201cThey will have valid sales information from what was exported, so it\u2019s going to be a lot harder to discern a scam from a valid call\/message.\u201d<\/p>\n

Updated to clarify that additional information about the breach came from Palo Alto Networks\u2019 Unit 42 threat intelligence arm.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When three prominent vendors, Palo Alto Networks, ZScaler, and Cloudflare, announced on Tuesday that they were hit by a cyber attack targeting Salesloft Drift, it was a stark reminder that today\u2019s interconnected enterprise environment means that one vendor\u2019s security hole can hurt users globally. Palo Alto\u2019s Tuesday statement said, \u201cthis supply chain attack impacted hundreds […]<\/p>\n","protected":false},"author":0,"featured_media":4640,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4657","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4657"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4657"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4657\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4640"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}