Cybersecurity firm Zscaler warns it suffered a knowledge breach after risk actors gained entry to its Salesforce occasion and stole buyer info, together with the contents of assist instances.
This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, by which attackers stole OAuth and refresh tokens, enabling them to realize entry to buyer Salesforce environments and exfiltrate delicate information.
In an advisory, Zscaler says that its Salesforce occasion was impacted by this supply-chain assault, exposing clients’ info.
“As a part of this marketing campaign, unauthorized actors gained entry to Salesloft Drift credentials of its clients together with Zscaler,” reads Zscaler’s advisory.
“Following an in depth evaluation as a part of our ongoing investigation, now we have decided that these credentials have allowed restricted entry to some Zscaler’s Salesforce info.”
The uncovered info consists of the next:
- Names
- Enterprise electronic mail addresses
- Job titles
- Cellphone numbers
- Regional/location particulars
- Zscaler product licensing and industrial info
- Content material from sure assist instances
The corporate stresses that the info breach solely impacts its Salesforce occasion and no Zscaler merchandise, providers, or infrastructure.
Whereas Zscaler states that it has detected no misuse of this info, it recommends that clients stay vigilant in opposition to potential phishing and social engineering assaults that would exploit this info.
The corporate additionally says it has revoked all Salesloft Drift integrations to its Salesforce occasion, rotated different API tokens, and is conducting an investigation into the incident.
Zscaler has additionally strengthened its buyer authentication protocol when responding to buyer assist calls to protect in opposition to social engineering assaults.
Google Risk Intelligence warned final week {that a} risk actor, tracked as UNC6395, is behind the assaults, stealing assist instances to reap authentication tokens, passwords, and secrets and techniques shared by clients when requesting assist.
“GTIG noticed UNC6395 concentrating on delicate credentials akin to Amazon Net Providers (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens,” stories Google.
“UNC6395 demonstrated operational safety consciousness by deleting question jobs, nonetheless logs weren’t impacted and organizations ought to nonetheless evaluation related logs for proof of information publicity.”
It was later revealed that the Salesloft supply-chain assault not solely impacted Drift Salesforce integration, but in addition Drift E-mail, which is used to handle electronic mail replies and set up CRM and advertising and marketing automation databases.
Google warned final week that attackers additionally used stolen OAuth tokens to entry Google Workspace electronic mail accounts and skim emails as a part of this breach.
Google and Salesforce have briefly disabled their Drift integrations pending the completion of an investigation.
Some researchers have instructed BleepingComputer that they consider the Salesloft Drift compromise overlaps with the current Salesforce information theft assaults by the ShinyHunters extortion group.
Because the starting of the yr, the risk actors have been conducting social engineering assaults to breach Salesforce cases and obtain information.
Throughout these assaults, risk actors conduct voice phishing (vishing) to trick staff into linking a malicious OAuth app with their firm’s Salesforce cases.
As soon as linked, the risk actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by electronic mail.
Since Google first reported the assaults in June, quite a few information breaches have been tied to the social engineering assaults, together with Google itself, Cisco, Farmers Insurance coverage, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.