Dark Web Digest - Zscaler Customer Data Exposed via Salesloft Drift Supply-Chain Breach

Dark Web Digest – Zscaler Customer Data Exposed via Salesloft Drift Supply-Chain Breach

6 Mins Read

PureVPNData BreachDark Web DigestDark Web Digest – Zscaler Customer Data Exposed via Salesloft Drift Supply-Chain Breach

Your email could be compromised.

Scan it on the dark web for free – no signup required.

Your support tickets may now be phishing ammunition…

Imagine waking up and checking your CRM only to find that customer records, tickets, and product licensing notes are quietly exposed because a third-party chat integration was weaponized. 

You’re not hacked directly — no fortress wall breached or passwords were stolen — but your CRM’s metadata has vanished!

That’s exactly what’s happening to Zscaler — a leading SaaS security provider. Their Salesforce instance got exposed because attackers hijacked Salesloft Drift integrations. That’s the modern supply-chain sidecar turning into a Trojan horse.

Forget dramatic hacks of servers or databases. In this breach, what dropped into attackers’ hands was the context: names, job titles, licensing info, support-case content, and more. That’s what makes metadata so dangerously powerful. 

This edition takes you inside how metadata became the hidden weapon, why hackers crave it on the dark web, who might be behind the breach, and how you can check if your own metadata is already at risk.

TL;DR: What You Need to Know, Fast

  • Who’s impacted? Zscaler’s Salesforce system only — no fallout on their core products or infrastructure.
  • What got leaked? Customer names, emails, job titles, phone numbers, region info, product licensing and commercial details, and support-case contents.
  • Perpetrator: Google’s Threat Intelligence Group identifies UNC6395 as the orchestrator. The campaign spanned August 8–18 via stolen OAuth/refresh tokens used to exfiltrate data and even harvest AWS and Snowflake credentials.
  • Containment: Zscaler revoked Drift integrations, rotated API tokens, boosted support-auth protocols, and launched a vendor risk review.
  • Record count: Zscaler’s advisory describes limited Salesforce access but does not publish an exact record count publicly; multiple reporting outlets describe the incident as affecting hundreds of organizations via Salesloft Drift tokens. (No verified “records-stolen” number for Zscaler was published at the time of writing.)
  • Dark Web Tip:👉 Run a free Dark Web Exposure Scan to see if your data  is at risk

How the Attack Played Out — Step-by-Step

Hackers stole OAuth & refresh tokens from the SalesDrift integration, giving them access to Salesforce and (in a few cases) Google Workspace accounts. Here’s how it happened:

  1. Initial vector: Attackers stole OAuth (and refresh) tokens tied to Salesloft’s Drift app, which integrates with Salesforce. Attackers stole tokens from multiple customers, including Zscaler.
  2. Access As “App”: Those tokens gave attackers a “legitimate app”-level view into Salesforce via structured SOQL queries—enough to extract customer contact data and support content. It demonstrated a trusted integration.
  3. Data Harvest: Metadata — cases, user records, licensing info — was collected. They also searched for embedded secrets like AWS keys, Snowflake tokens, and other sensitive info hidden in cases.
  4. Covering Tracks: Attackers deleted query jobs to obscure activity—but logs remained, enabling forensic traces.

What Was Leaked?

The exposed data includes:

  • Names
  • Business email addresses
  • Job titles
  • Phone numbers
  • Regional/location details
  • Zscaler product licensing and commercial information

Who’s Behind It?

Google’s Threat Intelligence Group (GTIG) and Mandiant link the campaign to an actor they track as UNC6395 and document systematic queries for credentials and API tokens.

They demonstrate careful tradecraft:

  • Targeted and precise OAuth harvesting
  • Systematic querying for “secrets”
  • Deletion of logs post-exfiltration — but not perfect enough to hide everything

Some criminal groups have tried to claim responsibility publicly, but GTIG’s attribution and operational detail is the most credible publicly available assessment so far.

What Zscaler Says (Official Summary)

Zscaler confirmed the company’s Salesforce instance had limited data exposure after unauthorized parties obtained Salesloft Drift credentials. Zscaler stressed that their products, services, and infrastructure were not compromised, and said they revoked access, rotated API tokens, strengthened support-auth protocols, and opened a third-party risk review.

Why This Is Worse Than A “Simple Contact Leak”

Contextualized Data = Phishing Gold:
Names, emails, product details, and support ticket snippets let attackers craft highly convincing spear-phishing and vishing scripts. That raises the likelihood of credential theft, invoice fraud, and targeted social engineering. 

Social Engineering Weaponized:
This isn’t your average “Nigerian Prince” email. Imagine getting a call that references your exact support ticket ID, the licensing issue you opened last week, or the regional sales manager you’ve spoken with before. Suddenly, the scam feels authentic — because the attacker has the context to sound like your vendor, partner, or IT team.

Attackers can now:

  • Spoof authority: Impersonate customer success or technical support teams with frightening precision.
  • Exploit urgency: Cite real-time cases (“your API key issue is escalating”) to rush users into sharing MFA codes or installing remote-access tools.
  • Chain trust: Contact one victim while dropping names of colleagues or vendors also exposed in the same dataset, making the attack feel “in the loop.”
  • Blend channels: Move seamlessly between email, phone, and even LinkedIn messages — all using real leaked details to gain trust.

When social engineering has this level of personalization, the success rate skyrockets — and the line between a legitimate support call and a phishing scam almost disappears.

Deeply Permissioned SaaS Danger:
OAuth tokens often have broad privileges; once stolen, they let an attacker perform queries like a legitimate app — including searching for secrets (AWS keys, Snowflake tokens) that were observed in other victims’ exfiltrations. That’s how a supply-chain SaaS integration becomes an escalation vector. 

Resale & Reuse:
Even “limited” dumps on the dark web are repackaged and traded across underground forums — every leak increases the chance of targeted follow-ups months later.

Risk AreaThreat Vector
OAuth / SaaS TokensCan be stolen and abused like legitimate app users
Exposed DataContact details, support cases, license info
Credential ExposureAWS, Snowflake, Workspace API secrets stolen
Phishing AmplifiedHigh-quality info makes for tailored social engineering

Why This Breach Packs a Bigger Punch in the Dark Web

  1. Context = Phishing dynamite: With job titles, support ticket snippets, and licensing info, spear-phishing becomes far more credible — and dangerous. Phishing & vishing attempts that reference product licensing, open support tickets, or regional account managers. Attackers will try to appear “in the loop.”
  2. Secrets in plain sight: Many support cases contain API keys or one-time tokens. That’s a civilization of credentials laid bare. Moreover, follow-on targeting of partners and downstream vendors — attackers often pivot from exposed contacts to access partner systems.
  3. Recycling underground: Even limited leaks get reposted across dark web forums, where credential stuffing bots and phishing toolkits harvest them.
  4. Credential reuse exploitation: If any exposed emails match reused credentials elsewhere. This campaign has already shown a pattern of searching for keys/tokens.

Tactical Playbook — What You Should Do Right Now

Here’s the playbook to lock things down:

Run a Dark Web Exposure Scan:

Protect exposed identifiers today.  PureVPN offers a free scan (also linked above) that allows users to check if their credentials appear on the dark web marketplaces and forums. In ~30 seconds you’ll learn:

  • Are you exposed?
  • How severe is the compromise?
  • How recent was the leak?
  • How many breaches include your account?

For IT/security teams:

  1. Rotate all OAuth tokens, API keys, and any credentials that flowed through the Salesloft/Drift integration. Do this immediately and require re-authentication.
  2. Audit Salesforce logs and export queries especially that occurred during Aug 8–18 (and surrounding dates). Look for unusual SOQL queries, deleted jobs, or bulk exports. GTIG observed the deletion of jobs used to hide activity.
  3. Rotate AWS/Snowflake/any cloud credentials discovered in Salesforce exports. Treat secrets found in CRM as compromised until proven otherwise.
  4. Enhance support authentication — require multi-factor for customer support interactions and implement call-back authentication for high-risk tickets. Zscaler says they’ve strengthened these checks.
  5. Phishing simulation & user education for staff and customers: warn about realistic scripts referencing licensing/support.
  6. Third-party risk reviews: Put Salesloft/Drift integrations under emergency review and reduce permissions where feasible.

For individuals who use Zscaler-managed accounts or are named in vendor contact lists:

  • Validate suspicious emails/calls by contacting known phone numbers (not those in the email).
  • Do not click links that claim to be about invoices or licensing without independently confirming.
  • Report suspicious vishing attempts to the vendor immediately.

What’s Next

This incident is the clearest reminder yet that SaaS composition matters: a highly permissioned integration can act as a door into dozens or hundreds of orgs. Zero-trust is irrelevant if tokens are issued and later stolen. Expect more companies to push vendors for token-rotation windows, more granular least-privilege integrations, and stricter vendor security attestations.

Not to forget, run PureVPN’s free Dark Web Exposure Scan now to see if your data is already circulating.

Questions the Public Still Needs Answers To

  • Exact record counts for affected customers (Zscaler: limited access; no published numbers). 
  • Full scope of secrets exfiltrated from other victim orgs (GTIG found AWS/Snowflake keys in some cases). 
  • Definitive public attribution beyond GTIG’s UNC6395 track (claims vs. technical attribution differ). 

Why Subscribe?

Every week, Dark Web Digest cut through the noise and bring you the breaches that matter, the tactics behind them, and the steps you need to protect yourself — all in a conversational, no-fluff format.

If you don’t want to be the last to know when your personal data hits the dark web, subscribing is your safety net.

👉 Stay ahead, stay secure, stay subscribed.

Note: This edition of Dark Web Digest is based on publicly available information as of Sept 2, 2025. 

Topics :

Related Stories

How to Search on Dark Web for Leaked Password

How to Search on Dark Web for Leaked Password
Posted on October 21, 2025
How to Check the Dark Web for My Username?

How to Check the Dark Web for My Username?
Posted on October 21, 2025
30+ Best Dark Web Websites & Forums You Should Explore in 2025

30+ Best Dark Web Websites & Forums You Should Explore in 2025
Posted on October 17, 2025

Have Your Say!!