Zscaler latest victim of Salesloft Drift attacks, customer data exposed
(2025/09/02)
- Reference: 1756835643
- News link: https://www.theregister.co.uk/2025/09/02/zscaler_customer_data_drift_compromise/
- Source link:
Zscaler is the latest company to disclose some of its customers' data was exposed in the recent spate of Salesloft Drift attacks affecting Salesforce databases.
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information," the cloud security shop's VP and Chief Information Security Officer Sam Curry [1]said in an August 30 blog.
The stolen information includes Salesforce-related content including names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, and plain text content from certain support cases — although Zscaler noted "this does NOT include attachments, files, and images."
[2]
The security snafu [3]occurred between August 8 and August 18, during which time [4]a group suspected to be ShinyHunters (UNC6395) stole OAuth tokens from Salesloft Drift's integration with Salesforce.
[5]
[6]
Drift, a third-party application used to automate sales processes, integrates with Salesforce databases to help manage leads and coordinate pitches, and compromising these OAuth security tokens allowed the data thieves to silently steal a ton of Salesforce customer data.
"Our observations indicate that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records," Palo Alto Networks' Unit 42 incident responders [7]warned today, after PAN's Chief Information Security Officer Marc Benoit [8]confirmed to his company's customers that their commercial data may have also been exposed in the Drift break-in."
[9]
"Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access," Unit 42 continued.
[10]Stolen OAuth tokens expose Palo Alto customer data
[11]Salesforce data missing? It might be due to Salesloft breach, Google says
[12]Workday warns of CRM breach after social engineers make off with business contact details
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
Last week, we learned that the Salesforce data theft also hit [14]some Google Workspace accounts , and, over the weekend, Zscaler said that the criminals also accessed its Drift credentials.
At this time, there's no evidence of misuse. The Register asked Zscaler what "limited scope" means, and how many customers were affected, but did not receive an immediate response. The security firm also suggests customers revoke Salesloft Drift access to Zscaler's Salesforce data and rotate other API access tokens to be extra safe.
This follows similar advice from Google last week, and Unit 42 today, both of which recommend anyone using Drift integrations revoke and rotate credentials for those applications. Unit 42 also advises users to check login histories and API access logs from August 8 forward while hunting for signs of any suspicious connections, credential theft, or data exfiltration. ®
Get our [15]Tech Resources
[1] https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Notification
[4] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/
[8] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[11] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[12] https://www.theregister.com/2025/08/18/workday_crm_breach/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift?e=48754805
[15] https://whitepapers.theregister.com/
"Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information," the cloud security shop's VP and Chief Information Security Officer Sam Curry [1]said in an August 30 blog.
The stolen information includes Salesforce-related content including names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, and plain text content from certain support cases — although Zscaler noted "this does NOT include attachments, files, and images."
[2]
The security snafu [3]occurred between August 8 and August 18, during which time [4]a group suspected to be ShinyHunters (UNC6395) stole OAuth tokens from Salesloft Drift's integration with Salesforce.
[5]
[6]
Drift, a third-party application used to automate sales processes, integrates with Salesforce databases to help manage leads and coordinate pitches, and compromising these OAuth security tokens allowed the data thieves to silently steal a ton of Salesforce customer data.
"Our observations indicate that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records," Palo Alto Networks' Unit 42 incident responders [7]warned today, after PAN's Chief Information Security Officer Marc Benoit [8]confirmed to his company's customers that their commercial data may have also been exposed in the Drift break-in."
[9]
"Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access," Unit 42 continued.
[10]Stolen OAuth tokens expose Palo Alto customer data
[11]Salesforce data missing? It might be due to Salesloft breach, Google says
[12]Workday warns of CRM breach after social engineers make off with business contact details
[13]Oh, great. Three notorious cybercrime gangs appear to be collaborating
Last week, we learned that the Salesforce data theft also hit [14]some Google Workspace accounts , and, over the weekend, Zscaler said that the criminals also accessed its Drift credentials.
At this time, there's no evidence of misuse. The Register asked Zscaler what "limited scope" means, and how many customers were affected, but did not receive an immediate response. The security firm also suggests customers revoke Salesloft Drift access to Zscaler's Salesforce data and rotate other API access tokens to be extra safe.
This follows similar advice from Google last week, and Unit 42 today, both of which recommend anyone using Drift integrations revoke and rotate credentials for those applications. Unit 42 also advises users to check login histories and API access logs from August 8 forward while hunting for signs of any suspicious connections, credential theft, or data exfiltration. ®
Get our [15]Tech Resources
[1] https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Notification
[4] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/
[8] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLdo9ku3TLTJ2bCdtmELeAAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[11] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[12] https://www.theregister.com/2025/08/18/workday_crm_breach/
[13] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[14] https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift?e=48754805
[15] https://whitepapers.theregister.com/