Overview

• Palo Alto Networks says attackers used stolen OAuth tokens to access its Salesforce CRM, exfiltrating business contact details and basic case information, with no technical support files or product systems affected.
• Zscaler confirms limited exposure of Salesforce data such as contact details and plain‑text support case content, reports no impact to products or infrastructure, and advises customers to watch for phishing.
• Google’s Threat Intelligence Group tracks the campaign to Aug 8–18 data exfiltration from numerous Salesforce instances, with the actor hunting for AWS keys and Snowflake tokens; Google says no compelling attribution has been established.
• The compromise extended beyond CRM as stolen Drift Email tokens enabled access to a very small number of Google Workspace accounts on Aug 9; Salesforce and Google have disabled Drift integrations pending further review.
• Researchers report Tor‑sourced activity, deleted Salesforce query jobs, and automated tooling, while guidance urges revoking and rotating tokens, auditing Salesforce and identity logs from Aug 8 onward, and scanning any exfiltrated data for embedded credentials.