Skip to main content
close search
site logo

Palo Alto Networks, Zscaler customers impacted by supply chain attacks

A hacking campaign using credentials linked to Salesloft Drift has impacted a growing number of companies, including downstream customers of leading cybersecurity firms.

Published Sept. 2, 2025
David Jones's headshot
Reporter
Beige and blue modern office building with large windows and the “paloalto networks” logo in black and red near the top corners.
Palo Alto networks headquarters in Santa Clara, Calif., on Sep 26, 2020. The company is one of hundreds where downstream customers may have been impacted by an August 2025 supply chain attack. Alamy

Palo Alto Networks on Tuesday said it has been impacted by the Salesloft Drift supply chain incident that gave hackers access to downstream customer Salesforce data. 

In a blog post released Tuesday, Palo Alto Networks said the breach was limited to its customer relationship management platform and that most of the information involves business contact information, internal sales account and basic case data. 

“We quickly contained the incident and disabled the application from our Salesforce environment,” a spokesperson told Cybersecurity Dive via email. “Our Unit 42 investigation confirms that this situation did not affect any Palo Alto Networks products, systems or services.”

The company said it is directly reaching out to a limited number of customers in cases where additional data may have been accessed, according to the blog post. 

Zscaler, a rival cybersecurity firm, previously disclosed a similar breach stemming from the same Salesloft Drift supply chain attack, according to a blog post published on Saturday. Zscaler said hackers accessed commonly available business contact data, including names, business email addresses, phone numbers and Zscaler product licensing information. 

Zscaler was not compromised,” a spokesperson told Cybersecurity Dive. “The scope of the incident is limited to Salesforce integrations, and there is no impact to Zscaler’s products, services, systems, or infrastructure.”

Zscaler added in a Monday update that a large number of customers were impacted, but did not provide specific details on the amount.

Google Threat Intelligence Group (GTIG) researchers last month disclosed the hacking campaign, which involved a threat actor tracked as UNC6395 that was targeting Salesforce instances with compromised OAuth tokens associated with Salesloft Drift. 

The original hacking spree ran from Aug. 8 to Aug. 18, but the investigation found the scope of the attacks to be more widespread than originally thought. 

Google threat researchers working with incident response experts from Mandiant found the attacks involved hundreds of potential targets and urged Salesloft Drift users to assume potential compromise. In an update to its blog post last week, GTIG warned UNC6395’s campaign was not limited to Salesforce and that organizations should “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

Salesforce on Thursday said it had disabled all integrations with Salesloft Drift while the investigation continued.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DNS4EU Public Service Welcomed Across Europe; Whalebone’s DNS4GOV Attracts Widespread Governme…
From Whalebone
August 26, 2025
Whalebone logo
Ontic and 360 Privacy Join Forces to Expand Executive Protection with Embedded Digital Privacy…
From 360 Privacy
August 13, 2025
360 Privacy logo
OnTrac Data Breach Investigation
From Migliaccio & Rathod LLP
August 28, 2025
Community Connections Data Breach Investigation
From Migliaccio & Rathod LLP
August 28, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.