Cybersecurity company Zscaler has confirmed it suffered a data breach after threat actors compromised its Salesforce instance through the Salesloft Drift supply chain attack, exposing customer information including support case contents, business contact details, and licensing data. The incident stems from a broader campaign where attackers gained unauthorized access to Salesloft Drift credentials, an AI chat agent that integrates with Salesforce, allowing them to steal OAuth and refresh tokens from multiple organizations and subsequently infiltrate customer Salesforce environments to exfiltrate sensitive data.
The breach compromised various types of customer information stored in Zscaler’s Salesforce instance, including names, business email addresses, job titles, phone numbers, regional location details, Zscaler product licensing information, and contents from certain support cases. Zscaler emphasized that the breach was limited to its Salesforce instance and did not impact any of its core security products, services, or infrastructure. While the company reported no detected misuse of the exposed information, it warned customers to remain vigilant against potential phishing and social engineering attacks that could exploit the stolen data.
The attack is attributed to threat actor UNC6395, which Google Threat Intelligence identified as targeting sensitive credentials including AWS access keys, passwords, and Snowflake-related tokens from compromised support cases. The Salesloft supply chain compromise has impacted multiple organizations beyond Zscaler, with researchers suggesting connections to the broader Salesforce data theft campaign conducted by the ShinyHunters extortion group that has affected major companies including Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, and luxury brands Louis Vuitton, Dior, and Tiffany & Co. In response to the incident, Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, strengthened customer authentication protocols for support calls, and launched a comprehensive investigation while Google and Salesforce have temporarily disabled their Drift integrations pending completion of security reviews.