Zscaler’s Salesforce Data Exposed via Supply Chain Incident

In August 2025, Zscaler confirmed a data breach involving unauthorized access to its Salesforce instance. The breach was not a result of vulnerabilities within Zscaler’s infrastructure but occurred via a supply chain compromise of a third-party vendor, Salesloft Drift. This attack exemplifies the rising threat of OAuth token abuse and highlights the shifting landscape of trusted application exploitation.

Severity Level: High

Incident Overview

• Date Disclosed: August 30, 2025
• Initial Point of Compromise: Salesloft Drift (AI-powered sales chatbot)
• Targeted System: Salesforce (via OAuth tokens)
• Nature of Incident: Supply chain attack via trusted OAuth connection
• Threat Actor Involved: UNC6040 / ShinyHunters
• Impacted Entity: Zscaler (limited data exposure)
• No Core Infrastructure Compromise: Zscaler products, networks, or internal services were unaffected

How The Breach Happened

• Threat actors compromised the infrastructure of Salesloft Drift.
• They stole OAuth tokens, which act as persistent, high-trust credentials for SaaS integrations like Salesforce.
• Using these tokens, they impersonated the Salesloft Drift application, bypassed authentication, and accessed Zscaler’s Salesforce environment.
• The attack was automated and surgical, leveraging legitimate third-party access to quietly exfiltrate data.

Data Exposed During The Breach

• Business Contact Information: Full names, Work email addresses, Job titles, Phone numbers, Company location data
• Commercial Intelligence: Zscaler product licensing data, Customer segmentation and commercial relationship details
• Plain text content from certain support cases. This support case data represents the most crucial exposure, as it may provide a blueprint for attackers to stage secondary attacks.

Zscaler Response And Containment Actions

• Revoked all Salesloft Drift access
• Rotated all related API tokens
• Hardened customer support authentication protocols
• Initiated third-party vendor risk review
• Engaged Salesforce for log analysis and threat containment
• Communicated transparently with stakeholders and customers

Lessons Learned

• Organizations must treat all third-party OAuth-based integrations, particularly those connected to critical platforms like Salesforce – as potential intrusion vectors.
• Support tickets often contain valuable internal context (API keys, system architecture details, or business-critical issues) – which can be leveraged for social engineering or lateral movement. Organizations must revise their policies to prohibit the inclusion of secrets or sensitive technical details in unencrypted communication channels.
• OAuth tokens should be treated with the same sensitivity as administrative passwords or SSH keys. Without proper lifecycle controls including short expiration times, strict scope definitions, and revocation workflows – they become long-lived persistent access points for attackers.

Recommendations

1. Stay vigilant for phishing or social engineering attempts leveraging leaked contact data.
2. Verify all unsolicited communications and do not respond to emails or calls requesting sensitive data.
3. Report suspicious activity to Zscaler at:
   security@zscaler.com
   driftincident@zscaler.com
4. Deploy SaaS Security Posture Management (SSPM) tools. Monitor access controls, misconfigurations, and token activity in SaaS environments like Salesforce.
5. Build detections for anomalous Salesforce API behavior. Flag bulk data exports, elevated privilege changes, and new integrations outside of maintenance windows.

Source:

• https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.