Article illustration 1

In a stark reminder that even security providers aren't immune to breaches, Zscaler has confirmed unauthorized access to its Salesforce environment through compromised credentials from Salesloft's Drift platform. The incident stems from a sophisticated supply chain attack where threat actors first infiltrated Salesloft's AI-powered chat agent—a tool widely used for customer engagement that integrates directly with Salesforce.

The Attack Chain: OAuth as the Weak Link

Attackers stole OAuth and refresh tokens during the Salesloft compromise, enabling them to bypass authentication and access Zscaler's Salesforce instance. Google's Threat Intelligence Group (GTIG) attributes the operation to UNC6395, a threat actor exhibiting advanced operational security by systematically deleting query logs after exfiltrating data.

"Unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," the company stated in its advisory. "These credentials have allowed limited access to some Zscaler's Salesforce information."

Exposed Data and Immediate Fallout

The breach exposed:
- Customer names, business emails, and job titles
- Phone numbers and regional/location details
- Zscaler product licensing information
- Sensitive content from support cases

While Zscaler confirmed its core security products and infrastructure remain uncompromised, the stolen support case data could contain authentication secrets customers shared while troubleshooting—creating secondary risks. The company has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened customer authentication protocols for support interactions.

Broader Ecosystem Impact

This incident is part of a larger campaign targeting Salesforce integrations:
- Google Workspace: Attackers accessed emails via stolen OAuth tokens
- Major Corporations: Cisco, Adidas, Allianz, and LVMH subsidiaries suffered similar breaches
- Threat Actor Link: Researchers connect UNC6395 to ShinyHunters' extortion group, known for voice phishing (vishing) attacks that trick employees into authorizing malicious OAuth apps

Salesforce and Google have temporarily disabled Drift integrations during ongoing investigations. The pattern reveals how a single compromised third-party service can cascade into enterprise-scale data theft.

The Escalating Third-Party Threat

As organizations increasingly rely on integrated SaaS ecosystems, this breach underscores the fragility of OAuth-based authentication and the catastrophic potential of supply chain vulnerabilities. Security teams must now scrutinize not just their own defenses but every connected service's security posture—especially those with privileged access to critical systems. The era of implicit trust in integrations is over; zero-trust principles must extend far beyond organizational boundaries.