On **August 28, 2025**, Zscaler detected a targeted security incident involving **Salesloft Drift**, a third-party SaaS marketing tool integrated with Salesforce via OAuth 2.0. Threat actors exfiltrated OAuth tokens used by Salesloft Drift to access Salesforce customer data, including Zscaler’s instance. The breach was confined to **non-sensitive Salesforce records**: contact metadata (names, emails, job titles, phone numbers, locations), product licensing details, and plain-text support case content (excluding attachments). Zscaler confirmed **no misuse or further exfiltration** beyond token theft, with no compromise of its core products, services, or infrastructure. Mitigation included **token revocation, enhanced OAuth monitoring, stricter third-party risk assessments, and hardened customer support authentication (MFA, callback procedures)**. Customers were advised to validate communications, monitor OAuth activity, enforce least-privilege permissions, and report phishing attempts. The incident underscored risks tied to **third-party OAuth integrations** and credential management in SaaS ecosystems.
Source: https://cyberpress.org/zscaler-confirms-data-breach/
TPRM report: https://www.rankiteo.com/company/zscaler
"id": "zsc803090225",
"linkid": "zscaler",
"type": "Breach",
"date": "8/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Cybersecurity / Cloud Security',
'name': 'Zscaler',
'type': 'Corporation'},
{'industry': 'Sales Automation / Marketing',
'name': 'Salesloft Drift',
'type': 'Third-Party SaaS Vendor'}],
'attack_vector': 'OAuth Token Theft via Third-Party SaaS (Salesloft Drift)',
'customer_advisories': 'Published recommendations for validating '
'communications, monitoring tokens, and reporting '
'phishing',
'data_breach': {'data_exfiltration': 'OAuth tokens exfiltrated; no evidence '
'of further data exfiltration',
'personally_identifiable_information': 'Limited to business '
'contact details '
'(names, emails, job '
'titles, phone '
'numbers, locations)',
'sensitivity_of_data': 'Moderate (non-sensitive business '
'metadata; no financial/payment data '
'or attachments)',
'type_of_data_compromised': ['Business contact information '
'(PII)',
'Commercial configurations',
'Support case plain-text '
'content']},
'date_detected': '2025-08-28',
'description': 'A targeted campaign aimed at Salesloft Drift, a SaaS offering '
'integrating with Salesforce via OAuth 2.0, resulted in the '
'exfiltration of OAuth tokens used to access Salesforce '
"customer data. Zscaler's Salesforce instance was impacted, "
'but no Zscaler products, services, or infrastructure were '
'compromised. The breach was confined to credentials managed '
'by Salesloft Drift.',
'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
'third-party breach; proactive customer '
'advisories issued',
'data_compromised': ['Contact metadata (names, business emails, '
'job titles, phone numbers, locations)',
'Zscaler product licensing and commercial '
'configurations',
'Plain-text content from support cases '
'(attachments/files unaffected)'],
'identity_theft_risk': 'Low (no evidence of misuse; limited to '
'business contact data)',
'operational_impact': 'Enhanced monitoring and token revocation '
'procedures implemented; no direct '
'operational disruption reported',
'systems_affected': ['Salesforce instance (via Salesloft Drift '
'OAuth tokens)']},
'initial_access_broker': {'entry_point': 'Salesloft Drift (SaaS application '
'integrating with Salesforce via '
'OAuth 2.0)',
'high_value_targets': 'Salesforce customer data '
'(Leads, commercial '
'configurations, support '
'cases)'},
'investigation_status': 'Ongoing (collaboration with Salesforce; no evidence '
'of data misuse detected)',
'lessons_learned': ['Third-party SaaS integrations introduce attack surface '
'risks via OAuth token management',
'Continuous monitoring of OAuth token usage is critical '
'for detecting anomalies',
'Least-privilege principles must be enforced for '
'connected apps (e.g., minimal OAuth scopes)'],
'post_incident_analysis': {'corrective_actions': ['Token revocation and '
'rotation procedures',
'Enhanced monitoring for '
'OAuth anomalies',
'Stricter third-party risk '
'management protocols'],
'root_causes': ['Inadequate protection of OAuth '
'tokens by third-party vendor '
'(Salesloft Drift)',
'Potential over-permissive OAuth '
'scopes granted to the connected '
'app']},
'recommendations': [{'for_customers': ['Validate communications from '
'Zscaler/Salesloft Drift via official '
'domains (@zscaler.com, '
'@salesloft.com)',
'Monitor OAuth token usage via '
'Salesforce Event Monitoring API '
'(check OAuthTokenRevocationEvent, '
'LoginEvent logs)',
'Enforce least privilege for Drift’s '
'Salesforce connected app (disable '
'unused permissions)',
'Report suspicious activity to [email '
'protected] and [email protected]']},
{'for_organizations': ['Conduct regular security '
'assessments of third-party SaaS '
'vendors',
'Implement stricter authentication '
'checks (MFA, callback procedures) '
'for customer support',
'Deploy anomaly detection for '
'OAuth token requests in cloud '
'environments']}],
'references': [{'source': 'Zscaler Public Advisory'},
{'source': 'Zscaler Support Portal',
'url': 'https://help.zscaler.com'}],
'response': {'communication_strategy': ['Public advisory with mitigation '
'recommendations',
'Customer support hardening (MFA, '
'callback procedures)',
'Dedicated support channels for '
'incident-related inquiries'],
'containment_measures': ['Revoked all Salesloft Drift OAuth '
'tokens via Salesforce REST API',
'Rotated additional API access tokens '
'tied to other integrations'],
'enhanced_monitoring': 'Anomaly detection for OAuth token usage '
'via Zscaler CSPM',
'incident_response_plan_activated': True,
'remediation_measures': ['Deployed anomaly detection rules in '
'Zscaler CSPM for OAuth token requests',
'Strengthened third-party risk '
'management (continuous security '
'assessments of SaaS vendors)'],
'third_party_assistance': ['Salesforce security analysts']},
'stakeholder_advisories': 'Proactive customer notifications and mitigation '
'guidance provided',
'title': 'Security Incident Involving Third-Party Marketing Application '
'Salesloft Drift',
'type': 'Data Breach / Unauthorized Access',
'vulnerability_exploited': 'Weakness in OAuth 2.0 token management by '
'Salesloft Drift'}