Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data.
Overview
Zscaler has confirmed a data breach resulting from a supply-chain attack involving the Salesloft Drift platform, a third-party application integrated with Salesforce. Attackers stole OAuth tokens, enabling unauthorized access to Salesforce instances, including Zscaler’s. While Zscaler’s core infrastructure and services were not affected, attackers gained access to business contact information and support case data within the Salesforce environment.
The threat actor behind the campaign, tracked as UNC6395, leveraged this access to exfiltrate data between August 8 and 18, 2025, across hundreds of organizations. No evidence of data misuse has been reported so far, but Zscaler urges caution due to increased phishing and social engineering risks.
Impacted Users
- Zscaler customers with information stored in its Salesforce CRM system.
- Users whose data was included in customer support cases, including names and contact details.
- Organizations using Salesloft Drift integrations with Salesforce.
- Companies relying on OAuth-connected apps without strict monitoring or access controls.
Potential Impact
- Data Exposure: Compromised Salesforce data includes names, job titles, business email addresses, phone numbers, regional details, and support case content.
- Phishing Risk: Exposed contact data could be used to craft convincing phishing or vishing attacks.
- Social Engineering: Attackers may impersonate Zscaler support staff using accurate customer context.
- Loss of Trust & Compliance Risks: Though no Zscaler systems were breached, customers may experience reputational harm or compliance challenges if data is misused.
- Wider Supply Chain Risk: The campaign has affected over 700 organizations, posing broader SaaS integration concerns.
Affected Products
- Zscaler Salesforce CRM environment (contact data and support cases only).
- Salesloft Drift integration with Salesforce.
- OAuth token-based integrations across SaaS platforms, including potential impact on:
- Salesforce
- Google Workspace
- Other connected third-party SaaS applications
Threat Behavior & Activity Indicators
- Suspicious OAuth activity linked to Drift integrations between August 8–18, 2025.
- Unusual Salesforce data exports, especially involving support case content.
- Access via compromised Drift tokens, possibly bypassing MFA.
- Known malicious behavior patterns from UNC6395:
- Use of Python automation tools
- Log tampering (deletion of query jobs)
- Targeting of credentials like AWS keys and Snowflake tokens
Recommended Actions
- Review Connected SaaS Integrations: Audit and revoke OAuth tokens connected to Drift or unused third-party apps. Rotate all credentials.
- Enable Enhanced Logging: Ensure detailed logging is active for Salesforce and related platforms; look for large data exports or anomalous access.
- Verify Support Communications: Zscaler will never ask for credentials via unsolicited emails or phone calls—train employees to verify all IT interactions.
- Educate End Users: Conduct phishing and social engineering awareness training, especially focused on impersonation of support staff.
- Apply Least Privilege Principles: Limit third-party app permissions and enforce least privilege access to sensitive data.
- Strengthen Authentication: Require MFA for all app integrations and consider using certificate- or hardware-based identity solutions.
- Vendor Risk Management: Reassess third-party vendors and integrations, particularly those with access to sensitive environments.
References
https://gbhackers.com/zscaler-discloses-data-breach/