Palo Alto, Salesforce-Connected Third-Party Drift Application Incident Response

DefenseStorm is aware of recent reports regarding a breach involving Palo Alto and certain types of data. Please see the most recent update below, taken directly from Palo Alto’s blog page about the incident.

The source page can be found here: https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/.

Last week, Salesloft announced its Drift application was breached, which provided unauthorized access to its customers’ Salesforce data. This supply chain attack impacted hundreds of organizations, including Palo Alto Networks.

As soon as we learned of the event, we disconnected the vendor from our Salesforce environment and our Unit 42 security teams launched a comprehensive investigation. Our investigation confirms the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational. The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.

We take this incident seriously and are reaching out to a limited number of customers who have potentially more sensitive data exposed.

If you have concerns or need additional support, our teams are available via Palo Alto Networks customer support channels.

For additional technical details, guidance for breach victims, and recommended mitigations, please refer to our Unit 42 Threat Brief.

DefenseStorm Response

DefenseStorm is recommending everyone who uses Palo Alto to review any advisories received or published from Palo Alto and evaluate if they apply to your organization.

DefenseStorm always recommends applying any changes in accordance with your existing internal policies and change controls.

Please bookmark: https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/ to stay up to date with the latest developments related to this incident.