Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info – Security Affairs
Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info
Crooks exploit Meta malvertising to target Android users with Brokewell
North Korea’s APT37 deploys RokRAT in new phishing campaign against academics
Fraudster stole over $1.5 million from city of Baltimore
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 60
Security Affairs newsletter Round 539 by Pierluigi Paganini – INTERNATIONAL EDITION
Amazon blocks APT29 campaign targeting Microsoft device code authentication
Lab Dookhtegan hacking group disrupts communications on dozens of Iranian ships
New zero-click exploit allegedly used to hack WhatsApp users
US and Dutch Police dismantle VerifTools fake ID marketplace
Experts warn of actively exploited FreePBX zero-day
Google: Salesloft Drift breach hits all integrations
Dutch intelligence warn that China-linked APT Salt Typhoon targeted local critical infrastructure
200 Swedish municipalities impacted by a major cyberattack on IT provider
TransUnion discloses a data breach impacting over 4.4 million customers
NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure Orgs
UNC6395 targets Salesloft in Drift OAuth token theft campaign
Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775
U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog
Healthcare Services Group discloses 2024 data breach that impacted 624,496 people
Zscaler discloses a data breach that is linked to the recent Salesloft Drift attack. The cybersecurity vendor confirmed it was affected by a campaign targeting Salesloft Drift, a marketing SaaS integrated with Salesforce. Threat actors stole OAuth tokens from the company, the incident impacted multiple Salesforce customers, including Zscaler. Attackers gained unauthorized access to Drift credentials, allowing limited visibility into some of Zscaler’s Salesforce information. The company pointed out that its products, services, and core infrastructure were not compromised.
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.” reads the advisory published by Zscaler. “After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information.”
The information exposed in the incident are the commonly available business contact details for points of contact and specific Salesforce related content, including: Names, Business email addresses, Job titles, Phone numbers, Regional/location details, Zscaler product licensing and commercial information, Content from certain support cases.
Zscaler confirmed it has revoked Drift’s Salesforce access, rotated API tokens, launched a joint investigation with Salesforce, added safeguards, reviewed third-party vendors, and reinforced customer support authentication to reduce phishing risks.
The company urges customers to remain vigilant against phishing attempts and social engineering attacks, despite limited impact and no misuse evidence.
Last week, Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some Google Workspace emails on August 9, 2025, via the Drift Email integration. Google stressed this was not a compromise of Workspace itself, and only accounts integrated with Salesloft were at risk, with no access to other customer accounts.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” reads the update published by Google Threat Intelligence Group (GTIG).
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts. The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”
Google already notified impacted users and revoked Drift Email OAuth tokens, disabled its Workspace integration, and urged Salesloft Drift users to review integrations, rotate credentials, and check for breaches.
Last week, Google Threat Intelligence Group and Mandiant researchers announced that they investigated a large-scale data theft campaign aimed at hacking the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The experts discovered that the threat actor UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between Aug 8 and 18, 2025, to harvest credentials like AWS access keys (AKIA) and Snowflake tokens.
“Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.” reads the report published by the Google TIG group. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances.”
UNC6395 stole Salesforce data, prompting GTIG to advise treating it as compromised and rotating credentials. The threat actor deleted query jobs to evade detection. Google urges log reviews, key revocation, and credential rotation to assess compromise.
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift–Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified, though the full scale remains unclear.
“From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.” reads the Drift/Salesforce Security Update published by Salesloft. “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”
Salesforce said only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Salesloft)
Data Breach / September 01, 2025
Malware / September 01, 2025
APT / September 01, 2025
Cyber Crime / September 01, 2025
Uncategorized / August 31, 2025
To contact me write an email to:
Pierluigi Paganini :
[email protected]
Copyright@securityaffairs 2024
source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.
