Zscaler, a leading cloud security provider, suffered a significant data breach via a supply-chain attack targeting its Salesforce infrastructure. The breach originated from a compromised third-party platform, Salesloft Drift, where threat actors exploited OAuth permissions to gain unauthorized access. Sensitive customer data was exposed, including names, email addresses, phone numbers, and support case details potentially enabling targeted phishing campaigns or follow-on attacks. While Zscaler confirmed the breach was isolated to its marketing-linked Salesforce environment and did not affect core production systems, the exposure of support interaction data raises risks of credential-based attacks and social engineering schemes. The incident highlights vulnerabilities in third-party SaaS integrations and underscores gaps in OAuth governance, prompting industry-wide scrutiny of supply-chain security practices. Zscaler revoked compromised credentials and engaged external incident response teams, but the breach has already eroded trust among clients and peers, with ripple effects across other cybersecurity firms targeted via the same Salesloft vector.
Source: https://www.webpronews.com/zscaler-data-breach-exposes-customer-info-via-supply-chain-attack/
TPRM report: https://www.rankiteo.com/company/zscaler
"id": "zsc534090325",
"linkid": "zscaler",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Zscaler Inc.',
'type': 'Cloud Security Provider'},
{'industry': 'Marketing/Customer Engagement',
'name': 'Salesloft Drift',
'type': 'Third-Party SaaS Platform'},
{'industry': 'Cybersecurity',
'name': ['Palo Alto Networks',
'PagerDuty',
'Tanium',
'SpyCloud'],
'type': 'Cybersecurity Companies'}],
'attack_vector': ['OAuth Permission Exploitation',
'Third-Party Platform Compromise (Salesloft Drift)'],
'customer_advisories': ['Notified customers about the breach and potential '
'follow-on phishing attacks'],
'data_breach': {'data_exfiltration': 'Likely (data may have been exfiltrated '
'for sale on dark web forums)',
'personally_identifiable_information': ['Names',
'Email addresses',
'Phone numbers'],
'sensitivity_of_data': 'High (includes PII and potentially '
'sensitive support interactions)',
'type_of_data_compromised': ['Customer contact information',
'Support case details '
'(potentially including '
'interaction contents)']},
'description': 'Zscaler Inc., a leading cloud security provider, confirmed a '
'significant data breach stemming from a supply-chain attack '
'on its Salesforce infrastructure via the compromise of '
'third-party platform Salesloft Drift. The incident exposed '
'sensitive customer data, including contact information and '
'support case details, raising concerns about vulnerabilities '
'in interconnected SaaS ecosystems and vendor dependencies.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in cloud '
'security providers; scrutiny of '
'Zscaler’s security practices despite '
'swift response',
'data_compromised': ['Names',
'Email addresses',
'Phone numbers',
'Customer support interaction contents'],
'identity_theft_risk': 'Possible (due to exposed PII in support '
'case data)',
'operational_impact': 'Potential follow-on attacks (e.g., targeted '
'phishing campaigns) due to exposed support '
'case data',
'systems_affected': ['Salesforce instance (marketing-linked '
'environment)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible (per '
'intelligence reports)',
'entry_point': 'Salesloft Drift '
'(Salesforce-integrated tool)',
'high_value_targets': ['Zscaler’s Salesforce '
'instance',
'Customer support '
'interaction data']},
'investigation_status': 'Ongoing (collaboration with affected peers to trace '
'attackers; monitoring for secondary attacks)',
'lessons_learned': ['Vulnerabilities in interconnected SaaS ecosystems and '
'vendor dependencies pose significant risks.',
'OAuth permission scoping must be rigorously managed to '
'prevent lateral movement attacks.',
'Third-party integrations require enhanced monitoring and '
'risk assessments.',
'Zero-trust architectures should extend to vendor '
'ecosystems.',
'Transparency in breach disclosure can mitigate '
'reputational damage but does not eliminate systemic '
'trust issues.'],
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring of '
'third-party integrations',
'Bolstered third-party risk '
'assessments',
'Credential rotations and '
'revocation of compromised '
'access',
'Collaboration with '
'industry peers for '
'collective defense'],
'root_causes': ['Exploitation of OAuth permissions '
'in Salesloft Drift',
'Inadequate monitoring of '
'third-party integrations',
'Improper scoping of permissions '
'allowing lateral movement']},
'recommendations': ['Implement stricter OAuth governance and permission '
'scoping.',
'Adopt zero-trust principles for third-party vendor '
'access.',
'Enhance monitoring of third-party integrations and '
'anomalies in SaaS environments.',
'Conduct regular third-party risk assessments and audits.',
'Collaborate with industry peers to trace and mitigate '
'sophisticated adversaries targeting supply chains.',
'Prepare for potential regulatory scrutiny and stricter '
'disclosure norms for SaaS-related breaches.'],
'references': [{'source': 'Cybersecurity News'},
{'source': 'BleepingComputer'},
{'source': 'IT Pro'},
{'source': 'Help Net Security'},
{'source': 'DEV Community'},
{'source': 'TechRadar'},
{'source': 'Cyber Press'}],
'response': {'communication_strategy': ['Transparency in public statements',
'Advisories to customers about '
'phishing risks'],
'containment_measures': ['Revoked compromised credentials',
'Credential rotations'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['Enhanced monitoring of third-party '
'integrations',
'Bolstering third-party risk '
'assessments'],
'third_party_assistance': ['External incident response teams']},
'stakeholder_advisories': ['Advisories issued to customers about heightened '
'phishing risks due to exposed support case data'],
'title': 'Zscaler Data Breach via Salesforce Supply-Chain Attack',
'type': ['Data Breach', 'Supply-Chain Attack'],
'vulnerability_exploited': 'Improper scoping of OAuth permissions in '
'Salesloft Drift (Salesforce-integrated tool)'}