The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacks
The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
Cloud security firm Zscaler is latest organization to disclose that it's been hit by a data breach linked to the recent Salesloft Drift attacks.
The incident, like many others, involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
"As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," the company said in an advisory.
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information."
Data accessed in the breach consisted of publicly available details for points of contact, along with specific Salesforce-related content.
This included names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from certain support cases, although this didn't include attachments, files, or images.
"After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information," said the firm.
Zscaler moved quickly to limit exposure
In its advisory, the company said it has since moved to revoke Salesloft Drift’s access to Zscaler’s Salesforce data, rotated other API access tokens to be on the safe side, and launched a detailed investigation into the scope of the event.
This includes close collaboration with Salesforce to examine the incident.
It has also implemented extra safeguards and strengthened protocols to defend against similar incidents in the future, launched a third party risk management investigation for vendors used by Zscaler, and strengthened customer authentication protocol when responding to customer calls.
This, the company said, aims to safeguard against potential phishing attacks in the wake of the incident. Like others impacted in Salesloft-related attacks, Zscaler has warned customers to remain vigilant for social engineering attempts.
"It’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," it said.
"Always verify the source of communication and never disclose passwords or financial data via unofficial channels."
What happened with the Salesloft Drift attacks?
The breach stems from an incident in early August, when attackers identified as UNC6395 compromised OAuth tokens associated with sales workflow automation software Salesloft Drift.
They then used these stolen tokens to extract large volumes of data from a number of corporate Salesforce instances, including sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Last week, Google’s Threat Intelligence Group (GTIG) warned that the breach had been broader than first thought.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," it said.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Ransomware is on the rise. AgainIndustry Insights Ransomware resurges with AI-driven sophistication, challenging defenders and creating opportunities for MSPs
-
Dell Pro Max Tower T2 reviewReviews There's little room for error in this classic desktop tower PC – with some of the most powerful hardware you can get your hands on
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
