Welcome to an insightful conversation on a critical cybersecurity incident that has recently shaken the industry. Today, we’re speaking with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With his extensive background, Rupert is here to unpack the details of a significant supply chain attack involving Salesloft Drift that compromised data at major security firms like Zscaler and Palo Alto Networks. In this interview, we’ll explore the nature of the breach, the response from affected organizations, the potential ripple effects across the industry, and actionable advice for protecting systems in the wake of such incidents.
Can you walk us through the key details of the Salesloft Drift breach and how it unfolded?
Certainly, Helen. This incident began early last month when a threat actor, identified as UNC6395, targeted Salesloft Drift, a marketing software-as-a-service platform. They exploited OAuth and refresh tokens tied to its Salesforce integration to access customer data. The breach was active from August 8 to 18, and Salesloft disclosed it on August 20, with more details following shortly after. It was a sophisticated supply chain attack, meaning the attacker infiltrated a trusted third-party service to reach multiple organizations. Salesloft acted quickly by revoking active tokens, notifying affected customers, and bringing in external experts to assist with the response.
What can you tell us about the specific data that was compromised during this attack?
The data stolen varied between the affected companies, but it primarily involved business-related information. For Zscaler, the attackers accessed names, business email addresses, job titles, phone numbers, location details, product licensing info, and even some support case content. Palo Alto Networks reported a similar scope, with mostly business contact information, internal sales records, and basic case data being taken. There’s definitely overlap in the type of data compromised—mainly customer and sales-related info—which highlights the potential for targeted follow-up attacks using this information.
How did the affected organizations respond once the breach came to light?
Both Zscaler and Palo Alto Networks took decisive steps to mitigate the damage. Zscaler conducted a thorough investigation, confirmed limited access to their Salesforce data, and emphasized transparency by notifying their customers directly. They’ve found no evidence of data misuse so far. Palo Alto Networks, on the other hand, quickly contained the incident by disabling the Salesloft application in their Salesforce environment and launched an investigation through their Unit 42 team. They’re also reaching out to impacted customers. Both companies stressed that their core products and services remained unaffected, which is a critical point for their user base.
What are the wider implications of this breach for other organizations using Salesloft Drift?
The scope of this attack is quite concerning. While exact numbers aren’t public, it’s clear that hundreds of customers could be affected, given the widespread use of Salesloft Drift. Google, through its ownership of Mandiant, which assisted in the response, advised all users to treat any authentication tokens connected to the platform as potentially compromised. There’s also a worry that other integrations beyond Salesforce might be at risk, expanding the potential attack surface. This incident underscores how interconnected systems can amplify the impact of a single breach across an entire ecosystem.
Can you explain the steps taken by Salesforce in reaction to this incident and what that means for users?
Salesforce took a strong precautionary measure by disabling all Salesloft integrations until further notice, as announced on August 28. This was likely done to prevent any further unauthorized access while the investigation continues. Unfortunately, there’s no clear timeline for when these integrations might be restored, which could disrupt business operations for many organizations relying on these tools. It’s a tough but necessary move to prioritize security over convenience in the face of such a significant threat.
What practical steps should organizations take to protect themselves following this breach?
Experts, including Palo Alto Networks’ Unit 42 team, have laid out some urgent recommendations. Organizations should start by reviewing all API integrations related to Salesloft Drift, auditing Salesforce logs for any signs of compromise, and analyzing network and identity provider logs for unusual activity. Rotating all exposed credentials immediately is critical to prevent further access. Additionally, companies need to be on high alert for social engineering attempts, as attackers often use stolen data to craft convincing phishing or impersonation schemes. Adopting zero-trust principles—never assuming trust, always verifying—is a strong long-term strategy.
Looking ahead, what is your forecast for the evolving landscape of supply chain attacks in cybersecurity?
I believe supply chain attacks will continue to grow in frequency and sophistication. As businesses increasingly rely on interconnected third-party services, attackers will target these trusted relationships as entry points to reach multiple organizations with a single exploit. We’re likely to see more emphasis on vendor risk management and stricter security standards for software integrations. On the flip side, I expect advancements in detection and response capabilities, driven by AI and machine learning, to help identify breaches faster. But the key will be collaboration—vendors, customers, and security teams must work together to build resilience against these cascading threats.
