Cloud security firm Zscaler is latest organization to disclose that it’s been hit by a data breach linked to the recent Salesloft Drift attacks.
The incident, like many others, involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler,” the company said in an advisory.
“Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.”
Data accessed in the breach consisted of publicly available details for points of contact, along with specific Salesforce-related content.
This included names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from certain support cases, although this didn’t include attachments, files, or images.
“After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information,” said the firm.
Zscaler moved quickly to limit exposure
In its advisory, the company said it has since moved to revoke Salesloft Drift’s access to Zscaler’s Salesforce data, rotated other API access tokens to be on the safe side, and launched a detailed investigation into the scope of the event.
This includes close collaboration with Salesforce to examine the incident.
It has also implemented extra safeguards and strengthened protocols to defend against similar incidents in the future, launched a third party risk management investigation for vendors used by Zscaler, and strengthened customer authentication protocol when responding to customer calls.
This, the company said, aims to safeguard against potential phishing attacks in the wake of the incident. Like others impacted in Salesloft-related attacks, Zscaler has warned customers to remain vigilant for social engineering attempts.
“It’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information,” it said.
“Always verify the source of communication and never disclose passwords or financial data via unofficial channels.”
What happened with the Salesloft Drift attacks?
The breach stems from an incident in early August, when attackers identified as UNC6395 compromised OAuth tokens associated with sales workflow automation software Salesloft Drift.
They then used these stolen tokens to extract large volumes of data from a number of corporate Salesforce instances, including sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
Last week, Google’s Threat Intelligence Group (GTIG) warned that the breach had been broader than first thought.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” it said.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
