Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance.
Marc Benoit, chief information security officer at PAN, confirmed in a note to clients – seen by The Register – that it was informed on August 25 that the “compromise of a third-party application, Salesloft’s Drift, resulted in the access and exfiltration of data stored in our Salesforce environment.”
It immediately disconnected the third-party application from its Salesforce CRM, he said. “The investigation [by the Unit 42 team] confirms that the event was isolated to our Salesforce environment and did not affect any Palo Alto Networks products, systems or services.”
Benoit said it “further confirmed that the data involved includes primarily customer business contact information, such as names and contact info, company attributes, and basic customer support case information. It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration.”
[…]
The breach of the Drift application has led to supply chain attacks at “hundreds” of organizations, including PAN, said Benoit in a blog post. He said the “incident” was “isolated to our CRM platform.”
Google said last week that it didn’t have enough signs to confirm that the recent spate of Salesforce data thefts claimed by ShinyHunters on Google itself, Workday, Allianz, Quantas and LVMH brand Dior were connected to the same group that masterminded the Salesloft attack.
The Unit 42 team at PAN advised organizations to monitor Salesforce and Salesloft updates, and take steps such as token revocation to secure platforms. It recommends conducting a review of all Drift integrations and all authentication activity with third-party systems for evidence of “suspicious connections, credential harvesting and data exfiltration.”
Unit 42 also recommends that you probe your Salesforce log-in history, audit trail, and API access logs from August 8 – when Salesloft says attackers first used “OAuth credentials to exfiltrate data from our customers’ Salesforce instances” – to the present day. It also advises combing over Identity Provider Logs and Network Logs. ®
Source: Stolen OAuth tokens expose Palo Alto customer data • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft