In August 2025, Zscaler confirmed a data breach involving unauthorized access to its Salesforce instance. The breach was not a result of vulnerabilities within Zscaler’s infrastructure but occurred via a supply chain compromise of a third-party vendor, Salesloft Drift. This attack exemplifies the rising threat of OAuth token abuse and highlights the shifting landscape of trusted application exploitation.
Severity Level: High
Incident Overview
- Date Disclosed: August 30, 2025
- Initial Point of Compromise: Salesloft Drift (AI-powered sales chatbot)
- Targeted System: Salesforce (via OAuth tokens)
- Nature of Incident: Supply chain attack via trusted OAuth connection
- Threat Actor Involved: UNC6040 / ShinyHunters
- Impacted Entity: Zscaler (limited data exposure)
- No Core Infrastructure Compromise: Zscaler products, networks, or internal services were unaffected
How The Breach Happened
- Threat actors compromised the infrastructure of Salesloft Drift.
- They stole OAuth tokens, which act as persistent, high-trust credentials for SaaS integrations like Salesforce.
- Using these tokens, they impersonated the Salesloft Drift application, bypassed authentication, and accessed Zscaler’s Salesforce environment.
- The attack was automated and surgical, leveraging legitimate third-party access to quietly exfiltrate data.
Data Exposed During The Breach
- Business Contact Information: Full names, Work email addresses, Job titles, Phone numbers, Company location data
- Commercial Intelligence: Zscaler product licensing data, Customer segmentation and commercial relationship details
- Plain text content from certain support cases. This support case data represents the most crucial exposure, as it may provide a blueprint for attackers to stage secondary attacks.
Zscaler Response And Containment Actions
- Revoked all Salesloft Drift access
- Rotated all related API tokens
- Hardened customer support authentication protocols
- Initiated third-party vendor risk review
- Engaged Salesforce for log analysis and threat containment
- Communicated transparently with stakeholders and customers
Lessons Learned
- Organizations must treat all third-party OAuth-based integrations, particularly those connected to critical platforms like Salesforce – as potential intrusion vectors.
- Support tickets often contain valuable internal context (API keys, system architecture details, or business-critical issues) – which can be leveraged for social engineering or lateral movement. Organizations must revise their policies to prohibit the inclusion of secrets or sensitive technical details in unencrypted communication channels.
- OAuth tokens should be treated with the same sensitivity as administrative passwords or SSH keys. Without proper lifecycle controls including short expiration times, strict scope definitions, and revocation workflows – they become long-lived persistent access points for attackers.
Recommendations
- Stay vigilant for phishing or social engineering attempts leveraging leaked contact data.
- Verify all unsolicited communications and do not respond to emails or calls requesting sensitive data.
- Report suspicious activity to Zscaler at:
security@zscaler.com
driftincident@zscaler.com - Deploy SaaS Security Posture Management (SSPM) tools. Monitor access controls, misconfigurations, and token activity in SaaS environments like Salesforce.
- Build detections for anomalous Salesforce API behavior. Flag bulk data exports, elevated privilege changes, and new integrations outside of maintenance windows.
Source:
- https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.