Full Report
Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases. [...]
Analysis Summary
# Incident Report: Zscaler Data Breach via Salesloft Drift Compromise (Supply Chain)
## Executive Summary
Cybersecurity firm Zscaler disclosed a data breach impacting its Salesforce instance after threat actors compromised Salesloft Drift, a third-party AI chat agent integrated with Salesforce. The compromise allowed attackers to steal customer information, including support case content, through the misused integration tokens. Zscaler responded by revoking integrations and rotating credentials, though the incident serves as a critical example of supply chain risk associated with third-party SaaS integrations.
## Incident Details
- **Discovery Date:** September 1, 2025 (Date of Advisory)
- **Incident Date:** Occurred prior to September 1, 2025, stemming from the Salesloft Drift compromise.
- **Affected Organization:** Zscaler
- **Sector:** Cybersecurity / Tech
- **Geography:** Not explicitly disclosed, presumed global impact due to customer base.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, preceded the public disclosure. The root cause was the compromise of Salesloft Drift.
- **Vector:** Supply Chain attack targeting Salesloft Drift credentials (OAuth and Refresh Tokens) belonging to Zscaler customers.
- **Details:** Attackers gained access to Zscaler's Salesloft Drift credentials, which enabled them to access Zscaler's Salesforce environment.
### Lateral Movement
- **Details:** Attackers leveraged valid OAuth tokens associated with the Salesloft Drift integration to move directly into the targeted Salesforce instance, bypassing traditional network perimeter controls. This access allowed exploitation of the integration's privileges.
### Data Exfiltration/Impact
- **Details:** Sensitive customer information was exfiltrated from Zscaler's Salesforce instance, including names, business email addresses, job titles, phone numbers, regional details, product licensing info, and content from certain support cases.
### Detection & Response
- **How it was discovered:** Zscaler conducted a review following broader warnings about the Salesloft Drift supply-chain campaign (tracked by Google Threat Intelligence/UNC6395).
- **Response actions taken:** Zscaler revoked all Salesloft Drift integrations, rotated other API tokens, and strengthened customer authentication protocols for support calls.
## Attack Methodology
- **Initial Access:** Compromise of the third-party vendor (Salesloft Drift), leading to the theft of customer OAuth and refresh tokens.
- **Persistence:** Maintained via stolen OAuth tokens granting access to the connected Salesforce instance (a form of application-level persistence).
- **Privilege Escalation:** Not explicitly detailed, but the attack leveraged inherently high privileges granted to the Salesloft integration within Salesforce.
- **Defense Evasion:** Bypassed traditional network security controls by utilizing legitimate, authenticated application session tokens (OAuth).
- **Credential Access:** Stolen OAuth tokens provided authorized application access, effectively acting as compromised credentials for the integration's scope.
- **Discovery:** Attackers likely used information within the compromised support cases (which contained sensitive customer data, including AWS keys and Snowflake tokens in other victims) to inform further actions, although Zscaler's direct data exposure was limited to company/contact info and case content.
- **Lateral Movement:** Movement occurred within the Salesforce platform using the stolen tokens.
- **Collection:** Data was collected directly from Salesforce objects, including support case records.
- **Exfiltration:** Details on the exfiltration method are not provided, but data was staged and removed from the Salesforce instance.
- **Impact:** Unauthorized access and exfiltration of customer data stored in Salesforce.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Customer personal/business contact information (Names, Emails, Job Titles, Phone Numbers, Location), Zscaler product/licensing data, and contents of support cases. *Note: Zscaler stressed no core Zscaler products or infrastructure were impacted.*
- **Operational:** Minimal direct operational impact to Zscaler services, though investigation and remediation required resources.
- **Reputational:** Negative publicity stemming from a major supply chain security incident affecting a cybersecurity vendor.
## Indicators of Compromise
- **Network indicators:** None explicitly provided/defanged. Focus was on application tokens.
- **File indicators:** None explicitly provided.
- **Behavioral indicators:** Unauthorized access to the Zscaler Salesforce instance facilitated by stolen Salesloft Drift OAuth tokens.
## Response Actions
- **Containment measures:** Revoked all Salesloft Drift integrations with the Zscaler Salesforce instance.
- **Eradication steps:** Rotated other associated API tokens.
- **Recovery actions:** Conducting a full investigation; strengthening authentication protocols for customer support interactions to mitigate subsequent social engineering risks.
## Lessons Learned
- **Key takeaways:** Third-party Software-as-a-Service (SaaS) integrations present significant risks, as compromise of the vendor (Salesloft Drift) provides direct pathways into customer environments (Salesforce). Customer support interaction data stored in CRM systems can be highly sensitive.
- **What could have been done better:** Necessity for organizations to strictly limit the scope and lifespan of OAuth tokens granted to third-party integrations.
## Recommendations
- **Prevention measures for similar incidents:**
1. Conduct immediate audits of all third-party SaaS integrations (especially those using OAuth) connected to sensitive platforms like Salesforce, ensuring the principle of least privilege is strictly enforced.
2. Implement robust monitoring specific to application/API token usage within SaaS environments to detect anomalous access patterns.
3. Enhance employee training regarding social engineering and vishing, especially after learning that compromised support case contents can be used to orchestrate secondary attacks.
4. For customers: Review and rotate any OAuth/API tokens related to Salesloft and similar third-party providers if they were connected to their Salesforce instances.