Cloud security firm Zscaler is latest organization to disclose that it's been hit by a data breach linked to the recent Salesloft Drift attacks.
The incident, like many others, involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
"As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," the company said in an advisory.
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information."
Data accessed in the breach consisted of publicly available details for points of contact, along with specific Salesforce-related content.
This included names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from certain support cases, although this didn't include attachments, files, or images.
"After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information," said the firm.
Zscaler moved quickly to limit exposure
In its advisory, the company said it has since moved to revoke Salesloft Drift’s access to Zscaler’s Salesforce data, rotated other API access tokens to be on the safe side, and launched a detailed investigation into the scope of the event.
This includes close collaboration with Salesforce to examine the incident.
It has also implemented extra safeguards and strengthened protocols to defend against similar incidents in the future, launched a third party risk management investigation for vendors used by Zscaler, and strengthened customer authentication protocol when responding to customer calls.
This, the company said, aims to safeguard against potential phishing attacks in the wake of the incident. Like others impacted in Salesloft-related attacks, Zscaler has warned customers to remain vigilant for social engineering attempts.
"It’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," it said.
"Always verify the source of communication and never disclose passwords or financial data via unofficial channels."
What happened with the Salesloft Drift attacks?
The breach stems from an incident in early August, when attackers identified as UNC6395 compromised OAuth tokens associated with sales workflow automation software Salesloft Drift.
They then used these stolen tokens to extract large volumes of data from a number of corporate Salesforce instances, including sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Last week, Google’s Threat Intelligence Group (GTIG) warned that the breach had been broader than first thought.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," it said.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
SAP wants to take data sovereignty to the next level with new 'on-site' infrastructure optionsNews The cloud computing giant will allow customers to host SAP-managed infrastructure directly within their own facilities
-
Blackpoint Cyber and NinjaOne partner to bolster MSP cybersecurityNews The collaboration combines Blackpoint Cyber’s MDR expertise with NinjaOne’s automated endpoint management platform
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Google says 'claims of a major Gmail security warning are false' following recent media reportsNews Reports of a massive Gmail hack affecting billions of users have been denied by Google
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
AI means cyber teams are rethinking their approach to insider threatsNews Nearly two-thirds of European cybersecurity professionals see insider threats as their biggest security risk – and AI is making things worse.
-
74% of companies admit insecure code caused a security breachNews A large number of data breaches are linked to insecure code, prompting calls for better training
