Zscaler has revealed itself as the latest corporate victim of a major supply chain campaign targeting Salesforce customer data.
The security vendor said that OAuth tokens linked to the third-party Salesloft Drift application were stolen by an adversary, enabling them to access its Salesforce instance.
According to the update over the weekend, compromised information included “commonly available business contact details for points of contact and specific Salesforce related content.”
Specifically, this included:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional/location details
- Zscaler product licensing and commercial information
- Plain text content from certain support cases, but not attachments, files, or images
Read more on Salesloft: Salesloft Attacks Target Google Workspace
Zscaler said it acted quickly to revoke the Drift app’s access to its Salesforce data and rotated other API access tokens out of an abundance of caution.
It also claimed to have implemented “additional safeguards and strengthening protocols” to prevent a similar incident in the future.
“Although the incident’s scope remains limited (as stated above) and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details,” Zscaler advised its customers.
“Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Always verify the source of communication and never disclose passwords or financial data via unofficial channels.”
Just yesterday, Infosecurity reported that the same campaign had targeted not just the Salesforce integration with Salesloft Drift, but also a “very small number” of Google Workspace accounts.
It’s believed to be the work of a threat actor tracked as UNC6395, who targeted “numerous” Salesforce customer instances between August 8 and August 18, exfiltrating large volumes of data. Hundreds of corporate customers may have been impacted.
The scale of the campaign, and operational discipline exercised, have led some to question whether there was nation state involvement.
Image credit: CryptoFX / Shutterstock.com
