Following a previous series of victims, Zscaler has also been affected by a hacked Salesforce Drift instance. This resulted in the theft of customer data and information about support cases.
Zscaler warns that hackers stole sensitive customer data after gaining access to their Salesforce environment. The stolen data includes customer names, email addresses, job titles, phone numbers, and location data. In addition, product licenses, commercial information, and the content of certain support cases have also been compromised. The company emphasizes that only the Salesforce environment has been affected, not the Zscaler products themselves or internal infrastructure.
Supply chain attack hits security expert
The attackers used the previously hacked Salesloft Drift as a springboard. This integration of an AI chatbot with Salesforce made it possible to steal OAuth and refresh tokens, which criminals used to gain access to company data. “Unauthorized parties gained access to Salesloft Drift credentials from customers, including Zscaler,” the company said in a security advisory. After thorough analysis, it appeared that these access rights provided limited insight into Salesforce information.
Google identifies perpetrators
Google Threat Intelligence identified the attackers as UNC6395. This group targeted AWS access keys, passwords, and Snowflake tokens that customers shared in support requests. Although the hackers deleted query tasks to cover their tracks, log files were preserved, allowing the attack to be reconstructed.
Further investigation revealed that, in addition to Drift, Salesloft’s Email service had also been compromised. This tool manages email responses and organizes CRM and marketing databases. Google and Salesforce have temporarily disabled their Drift integrations pending investigation.
Part of a larger campaign
The Zscaler hack comes shortly after a series of Salesforce-targeted attacks that affected dozens of organizations this summer. Google, Cisco, Air France-KLM, Adidas, and LVMH brands Louis Vuitton, Dior, and Tiffany were previously victims of similar social engineering tactics.
The criminals use voice phishing to trick employees into linking malicious OAuth apps to Salesforce environments. Once inside, they download databases to extort companies.
Security measures tightened
Zscaler has revoked all Salesloft Drift integrations and reset API tokens. The company also tightened customer verification for support calls to prevent social engineering. Although no abuse has been detected, Zscaler warns customers to remain alert to phishing and social engineering attacks.
Some researchers suspect, according to BleepingComputer, that there is an overlap between this supply chain attack and the recent Salesforce theft campaign by extortion group ShinyHunters. Since the beginning of this year, ShinyHunters has been carrying out social engineering attacks to gain access to Salesforce and extort companies.