Zscaler, a cybersecurity firm, has issued a warning regarding a data breach affecting its customers. The breach stemmed from a compromise of its Salesforce instance following a supply-chain attack targeting Salesloft Drift. Attackers accessed OAuth and refresh tokens, which facilitated unauthorized access to Zscaler’s Salesforce environment and the exfiltration of sensitive customer data.
Zscaler’s advisory states that the compromise of Salesloft Drift, an AI chat agent integrated with Salesforce, led to the exposure. The attackers exploited stolen OAuth and refresh tokens to gain access to customer Salesforce environments. Zscaler’s statement highlights that “unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler,” further noting that these credentials “allowed limited access to some Zscaler’s Salesforce information.”
The data exposed in the breach includes a range of customer information. This encompasses names, business email addresses, job titles, phone numbers, regional or location details, and Zscaler product licensing and commercial information. The breach also exposed content from certain support cases. Zscaler emphasized that the incident was isolated to its Salesforce instance and did not affect any Zscaler products, services, or underlying infrastructure.
While Zscaler has not detected any misuse of the exfiltrated data, the company is urging customers to exercise caution. Customers are advised to be vigilant against potential phishing and social engineering attacks that could leverage the exposed information. As a precautionary measure, Zscaler has revoked all Salesloft Drift integrations with its Salesforce instance and rotated other API tokens. An internal investigation into the incident is currently underway. To further mitigate risks, Zscaler has enhanced its customer authentication protocol for support calls to prevent social engineering attempts.
Google Threat Intelligence identified UNC6395 as the threat actor behind the attacks. This actor is known for targeting sensitive credentials, including Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. Google’s report indicated that “GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake‑related access tokens.” The report also mentioned that “UNC6395 demonstrated operational security awareness by deleting query jobs; however, logs were not impacted, and organizations should still review relevant logs for evidence of data exposure.”
The Salesloft supply-chain attack extended beyond the Drift Salesforce integration. It also impacted Drift Email, a tool used for managing email replies and organizing CRM and marketing automation databases. Attackers are reported to have exploited stolen OAuth tokens to access Google Workspace email accounts and read emails. This broader impact prompted Google and Salesforce to temporarily disable their Drift integrations pending the completion of the ongoing investigation.
Some researchers have suggested a potential connection between the Salesloft Drift compromise and recent Salesforce data theft attacks attributed to the ShinyHunters extortion group. The specific details of this connection are still under investigation, and further information is needed to confirm any direct links between these incidents.
