Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

News
By published

Business contact and related account information was taken, the company said

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)
  • The list of victims of the Salesloft/Drift attack keeps growing
  • Palo Alto Networks confirmed crooks stole sensitive information
  • The company is notifying affected customers

The Salesloft Drift incident is quickly turning into the next MOVEit MFT fiasco, as yet another company confirms losing sensitive data in the third-party attack. This time around, it is the American multinational cybersecurity company Palo Alto Networks that confirmed losing customer data and support cases information in the breach.

It all began with the sales engagement platform Salesloft. It uses Drift, a conversational marketing and sales platform with live chat, chatbots, and AI, to engage visitors in real time. Working alongside it is SalesDrift, a third-party platform linking Drift’s AI chat functionality to Salesforce, syncing conversations, leads, and cases, into the CRM via the Salesloft ecosystem.

In early August this year, adversaries managed to steal OAuth and refresh tokens from SalesDrift, pivoting to customer environments, and successfully exfiltrating sensitive data. The theft lasted for 10 days, during which the attackers stole information from different companies, including Zscaler, and Cloudflare.

Hundreds of victims

In a statement shared with BleepingComputer, Palo Alto Networks said it was one of “hundreds” of victims:

"Palo Alto Networks confirms that it was one of hundreds of customers impacted by the widespread supply chain attack targeting the Salesloft Drift application that exposed Salesforce data," the company told the publication. To contain the incident, the company disabled the application from its Salesforce environment, while its cybersecurity arm - Unit 42 - confirmed its products, systems, and services were unaffected.

"The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers." Support case data held contact info and text comments, it was added.

Ransomware actors ShinyHunters took responsibility for the attack, but not everyone is convinced. Google, for example, believes this to be the work of a separate entity it tracks as UNC6395.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.