Ethical Hacking News
In a recent data breach, cybersecurity firm Zscaler exposed customer information following a compromise of its Salesforce instance by threat actors. The breach highlights the importance of robust security measures in the cloud and underscores the need for organizations to prioritize supply-chain security awareness.
Zscaler suffered a data breach due to unauthorized access gained through compromised Salesloft Drift credentials. The exposed data includes sensitive customer information, such as names, email addresses, job titles, and product licensing details. Threat actor UNC6395 is behind the attacks, which included stealing support cases to harvest authentication tokens and passwords. Attackers used stolen OAuth tokens to access Google Workspace email accounts and read emails. The breach highlights the need for organizations to prioritize security awareness and implement robust measures to protect against supply-chain attacks. Zscaler has strengthened its customer authentication protocol to guard against social engineering attacks.
In a recent and concerning incident, cybersecurity firm Zscaler has announced that it suffered a data breach following a compromise of its Salesforce instance by threat actors. The breach exposed sensitive customer information, including the contents of support cases, and highlights the importance of robust security measures in the cloud.
According to an advisory released by Zscaler, the breach was caused by unauthorized access gained through compromised Salesloft Drift credentials, which allowed limited access to some of Zscaler's Salesforce information. The exposed data includes names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, as well as content from certain support cases.
While the breach only impacts Zscaler's Salesforce instance and no products, services, or infrastructure, the company has taken steps to mitigate the damage. These include revoking all Salesloft Drift integrations to its Salesforce instance, rotating other API tokens, and conducting a thorough investigation into the incident.
In addition to the data breach, Google Threat Intelligence warned that a threat actor, tracked as UNC6395, is behind the attacks. This threat actor has been responsible for stealing support cases to harvest authentication tokens, passwords, and secrets shared by customers when requesting support. The UNC6395 entity demonstrated operational security awareness by deleting query jobs, however, logs were not impacted, and organizations are still advised to review relevant logs for evidence of data exposure.
Furthermore, Google warned that attackers used stolen OAuth tokens to access Google Workspace email accounts and read emails as part of this breach. As a result, Google has temporarily disabled its Drift integrations pending the completion of an investigation.
The breach also appears to be connected to recent Salesforce data theft attacks by the ShinyHunters extortion group. The group has been conducting social engineering attacks to breach Salesforce instances and download sensitive data. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances.
The incident highlights the need for organizations to prioritize security awareness and implement robust measures to protect against supply-chain attacks. In particular, companies that use third-party services or software must ensure they have adequate monitoring and response protocols in place to detect and respond to potential breaches.
In light of this breach, Zscaler has strengthened its customer authentication protocol when responding to customer support calls to guard against social engineering attacks. This move is a positive step towards improving the overall security posture of the company and its customers.
The incident also underscores the importance of staying informed about emerging threats and vulnerabilities. As cybersecurity threats continue to evolve, it is crucial for organizations to stay vigilant and take proactive measures to protect their sensitive information.
In conclusion, the Zscaler data breach highlights the need for robust security measures in the cloud and the importance of supply-chain security awareness. As threat actors continue to adapt and evolve, it is essential for companies to prioritize cybersecurity awareness and implement effective response protocols to detect and respond to potential breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Zscaler-Data-Breach-Exposes-Customer-Information-Following-Salesloft-Drift-Compromise-ehn.shtml
https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-customer-info-after-salesloft-drift-compromise/
https://www.zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response
Published: Mon Sep 1 12:49:48 2025 by llama3.2 3B Q4_K_M
