Zscaler Breach: Customer Data Exposed via Third-Party Hack
▼ Summary
– Zscaler suffered a data breach after attackers accessed its Salesforce instance via compromised Salesloft Drift credentials, exposing customer information.
– The exposed data includes names, email addresses, job titles, phone numbers, location details, product licensing, and support case contents.
– Zscaler states no misuse of the data has been detected but advises customers to be vigilant against phishing and social engineering attacks.
– Google Threat Intelligence attributes the attacks to threat actor UNC6395, who stole credentials like AWS keys and Snowflake tokens from support cases.
– The breach is part of broader social engineering campaigns targeting Salesforce instances, affecting multiple companies including Cisco, Adidas, and Google.
A recent security incident at Zscaler has resulted in the exposure of customer data following a third-party breach involving the company’s Salesforce environment. The intrusion, which originated through a compromised AI chat agent known as Salesloft Drift, allowed attackers to obtain authentication tokens and gain unauthorized access to sensitive customer records stored within Zscaler’s Salesforce platform.
According to an official advisory, the threat actors leveraged stolen credentials from Salesloft Drift to infiltrate Zscaler’s Salesforce instance. While the company confirmed that its core products and infrastructure remained unaffected, the breach did expose a range of customer information. Compromised data includes names, business email addresses, job titles, phone numbers, regional details, product licensing information, and the contents of certain support cases.
Zscaler emphasized that there is currently no evidence of misuse of the stolen data. However, the company has advised customers to remain vigilant against potential phishing and social engineering attempts that may leverage the exposed information. In response to the incident, Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened authentication protocols for customer support interactions.
The attack has been attributed to a threat actor tracked as UNC6395 by Google’s Threat Intelligence Group. This group has been actively targeting support cases to harvest authentication tokens, passwords, and other sensitive credentials. Researchers noted that UNC6395 displayed operational caution by deleting query logs, though organizations are still urged to review their systems for signs of data exposure.
Further investigation revealed that the Salesloft supply-chain attack extended beyond Drift’s Salesforce integration to also impact Drift Email, a tool used for managing email replies and organizing CRM databases. As a precaution, both Google and Salesforce have temporarily disabled their Drift integrations pending a full security review.
Some cybersecurity researchers have drawn connections between this incident and a broader campaign by the ShinyHunters extortion group, which has been linked to multiple high-profile data thefts this year. The group has employed voice phishing (vishing) tactics to trick employees into linking malicious OAuth applications to corporate Salesforce instances, enabling large-scale data exfiltration.
Since these attacks were first reported in June, several major organizations have confirmed breaches related to similar social engineering schemes. Affected entities include Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and several LVMH subsidiaries such as Louis Vuitton, Dior, and Tiffany & Co. The incident underscores the growing risk posed by supply-chain vulnerabilities and third-party integrations in enterprise cloud environments.
(Source: Bleeping Computer)
