Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases.
This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data.
In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers’ information.
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler,” reads Zscaler’s advisory.
“Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.”
The exposed information includes the following:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional/location details
- Zscaler product licensing and commercial information
- Content from certain support cases
The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure.
While Zscaler states that it has detected no misuse of this information, it recommends that customers remain vigilant against potential phishing and social engineering attacks that could exploit this information.
The company also says it has revoked all Salesloft Drift integrations to its Salesforce instance, rotated other API tokens, and is conducting an investigation into the incident.
Zscaler has also strengthened its customer authentication protocol when responding to customer support calls to guard against social engineering attacks.
Google Threat Intelligence warned last week that a threat actor, tracked as UNC6395, is behind the attacks, stealing support cases to harvest authentication tokens, passwords, and secrets shared by customers when requesting support.
“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” reports Google.
“UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.”
It was later revealed that the Salesloft supply-chain attack not only impacted Drift Salesforce integration, but also Drift Email, which is used to manage email replies and organize CRM and marketing automation databases.
Google warned last week that attackers also used stolen OAuth tokens to access Google Workspace email accounts and read emails as part of this breach.
Google and Salesforce have temporarily disabled their Drift integrations pending the completion of an investigation.
Some researchers have told BleepingComputer that they believe the Salesloft Drift compromise overlaps with the recent Salesforce data theft attacks by the ShinyHunters extortion group.
Since the beginning of the year, the threat actors have been conducting social engineering attacks to breach Salesforce instances and download data.
During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company’s Salesforce instances.
Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.
Since Google first reported the attacks in June, numerous data breaches have been tied to the social engineering attacks, including Google itself, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
