The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacks
The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
Cloud security firm Zscaler is latest organization to disclose that it's been hit by a data breach linked to the recent Salesloft Drift attacks.
The incident, like many others, involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
"As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," the company said in an advisory.
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information."
Data accessed in the breach consisted of publicly available details for points of contact, along with specific Salesforce-related content.
This included names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from certain support cases, although this didn't include attachments, files, or images.
"After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information," said the firm.
Zscaler moved quickly to limit exposure
In its advisory, the company said it has since moved to revoke Salesloft Drift’s access to Zscaler’s Salesforce data, rotated other API access tokens to be on the safe side, and launched a detailed investigation into the scope of the event.
This includes close collaboration with Salesforce to examine the incident.
It has also implemented extra safeguards and strengthened protocols to defend against similar incidents in the future, launched a third party risk management investigation for vendors used by Zscaler, and strengthened customer authentication protocol when responding to customer calls.
This, the company said, aims to safeguard against potential phishing attacks in the wake of the incident. Like others impacted in Salesloft-related attacks, Zscaler has warned customers to remain vigilant for social engineering attempts.
"It’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," it said.
"Always verify the source of communication and never disclose passwords or financial data via unofficial channels."
What happened with the Salesloft Drift attacks?
The breach stems from an incident in early August, when attackers identified as UNC6395 compromised OAuth tokens associated with sales workflow automation software Salesloft Drift.
They then used these stolen tokens to extract large volumes of data from a number of corporate Salesforce instances, including sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Last week, Google’s Threat Intelligence Group (GTIG) warned that the breach had been broader than first thought.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," it said.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
ITPro Excellence Awards winners unveiledIt's time to celebrate excellence in IT. Read on for the full list of winners...
-
This new mobile compromise toolkit enables spyware, surveillance, and data theftNews The professional package allows even unsophisticated attackers to take full control of devices
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
