Cloud security firm Zscaler is latest organization to disclose that it's been hit by a data breach linked to the recent Salesloft Drift attacks.
The incident, like many others, involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
"As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," the company said in an advisory.
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information."
Data accessed in the breach consisted of publicly available details for points of contact, along with specific Salesforce-related content.
This included names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from certain support cases, although this didn't include attachments, files, or images.
"After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information," said the firm.
Zscaler moved quickly to limit exposure
In its advisory, the company said it has since moved to revoke Salesloft Drift’s access to Zscaler’s Salesforce data, rotated other API access tokens to be on the safe side, and launched a detailed investigation into the scope of the event.
This includes close collaboration with Salesforce to examine the incident.
It has also implemented extra safeguards and strengthened protocols to defend against similar incidents in the future, launched a third party risk management investigation for vendors used by Zscaler, and strengthened customer authentication protocol when responding to customer calls.
This, the company said, aims to safeguard against potential phishing attacks in the wake of the incident. Like others impacted in Salesloft-related attacks, Zscaler has warned customers to remain vigilant for social engineering attempts.
"It’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," it said.
"Always verify the source of communication and never disclose passwords or financial data via unofficial channels."
What happened with the Salesloft Drift attacks?
The breach stems from an incident in early August, when attackers identified as UNC6395 compromised OAuth tokens associated with sales workflow automation software Salesloft Drift.
They then used these stolen tokens to extract large volumes of data from a number of corporate Salesforce instances, including sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Last week, Google’s Threat Intelligence Group (GTIG) warned that the breach had been broader than first thought.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," it said.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Global PC shipments surge in Q3 2025, fueled by AI and Windows 10 refresh cyclesNews The scramble ahead of the Windows 10 end of life date prompted a spike in sales
-
Thousands of exposed civil servant passwords are up for grabs online
News While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, again
News The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
