Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance

Zscaler remains steadfast in its commitment to data protection, transparency, and the secure enablement of digital transformation.

A recent security incident involving the third-party marketing application Salesloft Drift has prompted swift action and rigorous internal review.

Incident Overview

On August 28, 2025, Zscaler’s security team was alerted to a targeted campaign aimed at Salesloft Drift, a SaaS offering that integrates with Salesforce via OAuth 2.0 for sales workflow automation.

Threat actors successfully exfiltrated OAuth tokens used by Salesloft Drift to access Salesforce customer data.

These tokens operate under the following HTTP header format in API calls:

textGET /services/data/vXX.X/sobjects/Lead HTTP/1.1  
Host: yourInstance.salesforce.com  
Authorization: Bearer <OAuthAccessToken>  

Zscaler confirmed that its own Salesforce instance was among those impacted.

Importantly, no Zscaler products, services, or infrastructure were compromised; the breach vector was confined strictly to credentials managed by Salesloft Drift.

Impacted Data and Response

Following detection, Zscaler conducted a detailed forensic investigation in collaboration with Salesforce security analysts.

The scope of unauthorized access was limited to non-sensitive Salesforce records, including:

• Contact metadata (names, business emails, job titles, phone numbers, locations)
• Zscaler product licensing and commercial configurations
• Plain-text content from support cases (attachments and files remained unaffected)

There is currently no evidence of data misuse or exfiltration beyond token theft.

However, as a precaution, Zscaler executed the following mitigation measures:

1. Token Revocation & Rotation
   • Revoked all Salesloft Drift OAuth tokens via the Salesforce REST API: bashcurl -X POST https://yourInstance.salesforce.com/services/oauth2/revoke -d token=<OAuthAccessToken>
   • Rotated additional API access tokens tied to other integrations.
2. Enhanced Monitoring & Protocols
   • Deployed anomaly detection rules in Zscaler Cloud Security Posture Management (CSPM) to flag unusual OAuth token requests.
   • Strengthened third-party risk management processes, including continuous security assessments of all SaaS vendors.
3. Customer Support Hardening
   • Implemented stricter authentication checks (MFA verification, callback procedures) to thwart phishing or social engineering leveraged by malicious actors.

Recommendations for Customers

Although no misuse has been detected, vigilance is paramount. Zscaler advises all customers to:

1. Validate Communications: Confirm emails or calls purportedly from Zscaler or Salesloft Drift originate from official domains (e.g., @zscaler.com, @salesloft.com).
2. Monitor OAuth Token Usage: Use Salesforce’s Event Monitoring API to review all OAuthTokenRevocationEvent and LoginEvent logs for anomalies.
3. Enforce Least Privilege: Ensure Drift’s connected app in Salesforce uses the minimal required OAuth scopes (for example, api, refresh_token) and disable unused permissions.
4. Report Suspicious Activity: Forward any suspected phishing attempts to security@zscaler.com and driftincident@zscaler.com.

Zscaler remains dedicated to securing customer environments and will provide additional updates as the investigation evolves.

For further assistance, contact Zscaler Support via help.zscaler.com or your existing support channels. Your security is our highest priority.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance appeared first on Cyber Security News.