Major Cybersecurity Vendors Breached in Widespread Data Theft Campaign

Headlines: Major Cybersecurity Vendors Breached in Widespread Data Theft Campaign

• Salesforce Data Theft Hits Major Security Firms: Palo Alto Networks, Zscaler, and PagerDuty confirm exposure via Salesloft Drift breach.
• Supply Chain Attack Scales Up: Stolen OAuth tokens allowed unauthorized access to Salesforce environments.
• Third-Party App Exploited: The breach reinforces the urgent need for Zero Trust in SaaS ecosystems.
  

The Anatomy of the Attack

The past few years have shown us repeatedly that the biggest threat to an enterprise doesn’t always come from hackers directly targeting core infrastructure — but often from trusted integrations that connect business-critical systems. The recent Salesloft Drift incident is a textbook example of this risk.

As reported by CRN, the breach compromised some of the most recognized cybersecurity vendors, proving that even those with world-class defenses are only as strong as their supply chain.

According to an advisory from the Google Threat Intelligence Group, the threat actor UNC6395 executed a highly coordinated campaign between August 8 and August 18, 2025. Their weapon of choice? Compromised OAuth tokens tied to the Salesloft Drift app.

Once inside, attackers systematically exfiltrated sensitive Salesforce data across multiple organizations. Their primary objective was credential harvesting, meticulously scanning through datasets for high-value secrets such as AWS access keys and authentication passwords.

The list of confirmed victims keeps growing:

• Palo Alto Networks and Zscaler: Reported exposure of business contact details and internal sales account records.
• PagerDuty: Confirmed loss of certain business contact data.

To contain the breach, Salesforce and Salesloft revoked all active Drift OAuth tokens and delisted the app from AppExchange, issuing ongoing updates via official channels.

How It Could Have Been Prevented? The AccuKnox Zero Trust Approach

This campaign highlights the inherent risks of SaaS ecosystems — where one overly trusted integration can open the floodgates. While some vendors were compromised, others like Cloudflare quickly verified no exposure thanks to disciplined logging and credential management. This stark contrast underscores why proactive Zero Trust security is no longer optional.

At AccuKnox, we advocate for deeply integrated security powered by Cloud-Native Application Protection Platforms (CNAPPs). A Zero Trust architecture, paired with layered defenses, could have reduced or even prevented the Salesloft Drift breach. Here’s how:

1. Proactive Defense Starts with Code: The Power of ASPM and Secret Scanning

The attackers’ ultimate goal was credential harvesting. This isn’t surprising — in modern cloud-native environments, secrets (API keys, passwords, tokens) are everywhere, scattered across codebases, IaC templates, and runtime environments. If attackers can grab them, they immediately gain a foothold.

AccuKnox’s Application Security Posture Management (ASPM) and secrets scanning address this problem at the root.

• Shift Left with Integrated Scanning: Before deployment, AccuKnox scans Git repos, IaC templates (like Azure IaC integrations), and container images for exposed secrets. By embedding this into CI/CD pipelines (AWS example), developers catch issues early.
• Securing the Secrets Manager: Beyond static scans, AccuKnox integrates with HashiCorp Vault to dynamically manage secrets with rotation and limited lifespans.
• Real-World Example: If a developer accidentally commits an AWS access key to GitHub, AccuKnox immediately fails the build, alerts the team, and prevents that code from reaching production.

Production		Application
ASPM Application Attack Surface Application Drift Application Risk Data Privacy Risk		Dev and QA Software Composition Analysis (SCA) Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST)

2. Enforcing Least Privilege with Network Primitive Controls and Zero Trust Policies

The Salesloft Drift breach was enabled by overly permissive OAuth tokens. Once attackers had them, they could access vast amounts of Salesforce data. A true Zero Trust architecture minimizes this blast radius by enforcing granular, context-driven policies.

AccuKnox achieves this using Network Primitive Controls:

• Process-Based Network Control: Network access is tied to process identity rather than just IPs or firewalls. Even if a token is stolen, exfiltration attempts outside the approved baseline get blocked (detailed docs).
• Multi-Cloud Security: Consistent, granular policies across AWS, Azure, and GCP.

Automated Policy Generation: Policies are generated dynamically based on observed runtime behavior, reducing human error while adapting to evolving workloads.

3. Runtime Visibility and Threat Detection

The attackers’ activity in this campaign followed clear patterns — for instance, running SELECT COUNT() queries before bulk data extraction. With deep runtime visibility, these anomalies would have been spotted early.

AccuKnox CNAPP brings this visibility with:

• Runtime-Powered Threat Detection: Continuous monitoring for unusual queries, abnormal data spikes, or rogue process execution.
• Admission Controller: AccuKnox’s admission controller blocks misconfigured or vulnerable workloads from being deployed, ensuring risks are mitigated before runtime.

1. Ransomware Protection – AccuKnox blocks unauthorized access to Vault secrets.
2. Real-Time Defence – Our agent prevents command injection and remote code execution using eBPF.
3. Easy Management – Monitor, apply policies, harden workloads with a checklist approach, and get alerts/reports on demand or scheduled for proactive security.

🗙

Hashicorp Vault – Secrets Manager

Preventing Hashicorp Vault Zero-Day Attacks with AccuKnox Hardening

Learn more

Major Attacks AccuKnox can defend with Advanced Secret Scanning

AI Model Cards for Continuous Governance

Transform your model documentation from static reports into a real-time security and risk dashboard.

• Continuous Security & Supply Chain Get a live Software Bill of Materials (SBOM), real-time vulnerability scanning, and ongoing license compliance checks for all model components.
• Automated Validation & Risk Scoring Use sandbox-driven assessments for automated red teaming, evaluating safety, bias, toxicity, jailbreak resilience, and assigning a dynamically changing risk score.
• Runtime Observability & Fencing Establish behavior baselines and monitor operational activity to detect policy violations and ensure real-time data isolation and fencing of model data stores.

Building a Resilient Security Posture with AccuKnox

The Salesloft Drift supply chain breach is a wake-up call. Even leading cybersecurity firms can fall victim when reactive defenses are the only line of protection. In today’s SaaS-driven world, Zero Trust must be the default.

With AccuKnox CNAPP, organizations gain:

• Proactive defenses with ASPM and secret scanning.
• Granular control with automated, least-privilege policies.
• Real-time detection through runtime visibility.
• Stronger prevention with admission controls.

Don’t wait for attackers to test the weakest link in your SaaS ecosystem. Explore AccuKnox’s solutions for ASPM and secrets scanning to build a truly resilient Zero Trust security posture.