{"id":3974,"date":"2025-09-02T12:37:24","date_gmt":"2025-09-02T12:37:24","guid":{"rendered":"https:\/\/www.purevpn.com\/white-label\/?p=3974"},"modified":"2025-09-02T13:03:05","modified_gmt":"2025-09-02T13:03:05","slug":"zscaler-data-breach","status":"publish","type":"post","link":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/","title":{"rendered":"Zscaler Data Breach: What Happened and What It Means for Businesses?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Timeline_of_the_Zscaler_Data_Breach\" title=\"Timeline of the Zscaler Data Breach\">Timeline of the Zscaler Data Breach<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Timeline_of_the_Zscaler_Data_Breach-2\" title=\"Timeline of the Zscaler Data Breach\">Timeline of the Zscaler Data Breach<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Compromised_OAuth_refresh_tokens_Drift_%E2%86%92_Salesforce\" title=\"Compromised OAuth &#038; refresh tokens (Drift \u2192 Salesforce)\">Compromised OAuth &#038; refresh tokens (Drift \u2192 Salesforce)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Drift_Email_%E2%86%92_Google_Workspace\" title=\"Drift Email \u2192 Google Workspace\">Drift Email \u2192 Google Workspace<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Revocation_of_Drift_tokens\" title=\"Revocation of Drift tokens\">Revocation of Drift tokens<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Integrations_disabled_suspended\" title=\"Integrations disabled \/ suspended\">Integrations disabled \/ suspended<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#What_Data_Was_Exposed\" title=\"What Data Was Exposed?\">What Data Was Exposed?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Why_OAuth_Supply-Chain_Attacks_Are_Growing\" title=\"Why OAuth Supply-Chain Attacks Are Growing?\">Why OAuth Supply-Chain Attacks Are Growing?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Zscalers_Response\" title=\"Zscaler\u2019s Response\">Zscaler\u2019s Response<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Financial_Impact_Estimator\" title=\"Financial Impact Estimator\">Financial Impact Estimator<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Conservative\" title=\"Conservative\">Conservative<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Expected\" title=\"Expected\">Expected<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Severe\" title=\"Severe\">Severe<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Lessons_for_Businesses\" title=\"Lessons for Businesses\">Lessons for Businesses<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Token_Lifecycle_Visualizer\" title=\"Token Lifecycle Visualizer\">Token Lifecycle Visualizer<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#User_authorizes_app\" title=\"User authorizes app\">User authorizes app<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#What_the_Breach_Reveals_About_Zscalers_Own_Stack\" title=\"What the Breach Reveals About Zscaler\u2019s Own Stack?\">What the Breach Reveals About Zscaler\u2019s Own Stack?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Minute_Details_Many_Reports_Missed\" title=\"Minute Details Many Reports Missed\">Minute Details Many Reports Missed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#What_Companies_Should_Do_Now\" title=\"What Companies Should Do Now?\">What Companies Should Do Now?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Beyond_SaaS_Controls_The_Case_for_VPNs\" title=\"Beyond SaaS Controls: The Case for VPNs\">Beyond SaaS Controls: The Case for VPNs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#PureVPN_White_Label_-_Extending_SaaS_Security\" title=\"PureVPN White Label - Extending SaaS Security\">PureVPN White Label - Extending SaaS Security<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#Closing_Thoughts\" title=\"Closing Thoughts\">Closing Thoughts<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>Not all breaches happen with firewalls falling or servers being popped. Some happen in quieter ways through the integrations that businesses use every day to keep operations smooth. In August 2025, <a href=\"https:\/\/cyberpress.org\/zscaler-confirms-data-breach\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Zscaler confirmed that it had been impacted by exactly this type of attack<\/a>.<\/p>\n\n\n\n<p>The <strong>Zscaler data breach<\/strong> was not about its Zero Trust Exchange collapsing or its secure web gateways being bypassed. Instead, attackers exploited a <strong>third-party integration<\/strong> used for marketing and support. OAuth tokens tied to Salesloft\u2019s Drift app were stolen, granting attackers legitimate access to Salesforce. That\u2019s all it took to get inside.<\/p>\n\n\n\n<p>On the surface, it looks like a limited breach. No Zscaler core infrastructure was compromised. But the details, exposed contact data, licensing information, and support case text, show why supply-chain and SaaS risks can be just as dangerous as traditional exploits. For customers, partners, and <a href=\"https:\/\/www.purevpn.com\/vpn-reseller\/\" target=\"_blank\" rel=\"noreferrer noopener\">resellers<\/a>, the breach is a reminder: the weakest link often lives in the shadows of trusted integrations.<\/p>\n\n\n\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@500;600&#038;display=swap\" rel=\"stylesheet\">\n\n<style>\n  .tldr-box {\n    font-family: 'Poppins', sans-serif;\n    max-width: 800px;\n    margin: 40px auto;\n    background: #F9F7FF;\n    border: 1px solid #D9D2F5;\n    border-radius: 12px;\n    box-shadow: 0 8px 25px rgba(166, 143, 239, 0.08);\n    padding: 25px 30px;\n    display: flex;\n    align-items: flex-start;\n  }\n\n  .tldr-title {\n    font-weight: 700;\n    font-size: 28px;\n    color: #4D3B7A;\n    margin-right: 20px;\n    min-width: 90px;\n    text-align: right;\n  }\n\n  .tldr-content ul {\n    margin: 0;\n    padding-left: 20px;\n    color: #4D3B7A;\n    font-size: 15px;\n    line-height: 1.7;\n  }\n\n  .tldr-content li {\n    margin-bottom: 8px;\n  }\n\n  .tldr-content strong {\n    font-weight: 600;\n    color: #4D3B7A;\n  }\n<\/style>\n\n<div class=\"tldr-box\">\n  <div class=\"tldr-title\">TL;DR<\/div>\n  <div class=\"tldr-content\">\n    <ul>\n      <li><strong>Incident:<\/strong> Attackers exploited stolen OAuth tokens from the Salesloft Drift integration to access Zscaler\u2019s Salesforce instance (Aug 8\u201318, 2025).<\/li>\n      <li><strong>Scope:<\/strong> No Zscaler core products or infrastructure compromised; exposure limited to customer contact data, licensing info, and some support case text.<\/li>\n      <li><strong>Hidden Risk:<\/strong> Support tickets sometimes contained plain-text credentials or API keys, raising the chance of follow-on compromise.<\/li>\n      <li><strong>Google Workspace:<\/strong> Drift Email tokens were abused on Aug 9 to access a few integrated mailboxes. Workspace itself was not breached.<\/li>\n      <li><strong>Tactics:<\/strong> Attackers deleted Salesforce jobs post-exfiltration to cover tracks. Attribution points to UNC6395 (not ShinyHunters).<\/li>\n      <li><strong>Response:<\/strong> Salesforce revoked all Drift tokens (Aug 20) and later suspended Drift\/Salesloft integrations. Zscaler notified customers and advised vigilance.<\/li>\n      <li><strong>Business Impact:<\/strong> Data exposed could fuel spear-phishing, impersonation, and compliance risks under GDPR\/CCPA.<\/li>\n      <li><strong>Takeaways:<\/strong> Audit OAuth apps, rotate\/revoke stale tokens, avoid storing secrets in tickets, and monitor SaaS logs for anomalies.<\/li>\n    \n    <\/ul>\n  <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Timeline_of_the_Zscaler_Data_Breach\"><\/span>Timeline of the Zscaler Data Breach<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<!-- Zscaler Breach Timeline (Self-contained) -->\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@500;600&#038;display=swap\" rel=\"stylesheet\"\/>\n\n<div class=\"tl-wrap\" id=\"zscaler-timeline\">\n  <div class=\"tl-head\">\n    <h3 class=\"tl-title\"><span class=\"ez-toc-section\" id=\"Timeline_of_the_Zscaler_Data_Breach-2\"><\/span>Timeline of the Zscaler Data Breach<span class=\"ez-toc-section-end\"><\/span><\/h3>\n    <div class=\"tl-range\">Aug 8 \u2013 Aug 28, 2025<\/div>\n  <\/div>\n\n  <div class=\"timeline\" id=\"tlScroll\">\n    <div class=\"tl-spine\" id=\"tlSpine\"><\/div>\n    <div class=\"active-band\" id=\"activeBand\" title=\"Active compromise window (Aug 8\u201318)\"><\/div>\n\n    <!-- 1 -->\n    <div class=\"tl-item active\">\n      <span class=\"tl-dot\" aria-label=\"Aug 8\u201318\"><\/span>\n      <div class=\"tl-card\">\n        <div class=\"tl-when\">Aug 8\u201318, 2025<\/div>\n        <h4 class=\"tl-what\"><span class=\"ez-toc-section\" id=\"Compromised_OAuth_refresh_tokens_Drift_%E2%86%92_Salesforce\"><\/span>Compromised OAuth &#038; refresh tokens (Drift \u2192 Salesforce)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n        <p class=\"tl-desc\">Attackers used Drift-issued tokens to access Salesforce environments (including Zscaler), run queries, pull records, and often delete jobs to cover tracks.<\/p>\n      <\/div>\n      <div class=\"tl-spacer\"><\/div>\n    <\/div>\n\n    <!-- 2 -->\n    <div class=\"tl-item\">\n      <span class=\"tl-dot\" aria-label=\"Aug 9\"><\/span>\n      <div class=\"tl-spacer\"><\/div>\n      <div class=\"tl-card\">\n        <div class=\"tl-when\">Aug 9, 2025<\/div>\n        <h4 class=\"tl-what\"><span class=\"ez-toc-section\" id=\"Drift_Email_%E2%86%92_Google_Workspace\"><\/span>Drift Email \u2192 Google Workspace<span class=\"ez-toc-section-end\"><\/span><\/h4>\n        <p class=\"tl-desc\">Drift Email tokens were used to access a small number of Google Workspace mailboxes. Workspace itself wasn\u2019t compromised.<\/p>\n      <\/div>\n    <\/div>\n\n    <!-- 3 -->\n    <div class=\"tl-item\">\n      <span class=\"tl-dot\" aria-label=\"Aug 20\"><\/span>\n      <div class=\"tl-card\">\n        <div class=\"tl-when\">Aug 20, 2025<\/div>\n        <h4 class=\"tl-what\"><span class=\"ez-toc-section\" id=\"Revocation_of_Drift_tokens\"><\/span>Revocation of Drift tokens<span class=\"ez-toc-section-end\"><\/span><\/h4>\n        <p class=\"tl-desc\">Salesforce and Salesloft revoked all active Drift tokens to contain exposure.<\/p>\n      <\/div>\n      <div class=\"tl-spacer\"><\/div>\n    <\/div>\n\n    <!-- 4 -->\n    <div class=\"tl-item\">\n      <span class=\"tl-dot\" aria-label=\"Aug 28\"><\/span>\n      <div class=\"tl-spacer\"><\/div>\n      <div class=\"tl-card\">\n        <div class=\"tl-when\">Aug 28, 2025<\/div>\n        <h4 class=\"tl-what\"><span class=\"ez-toc-section\" id=\"Integrations_disabled_suspended\"><\/span>Integrations disabled \/ suspended<span class=\"ez-toc-section-end\"><\/span><\/h4>\n        <p class=\"tl-desc\">Salesforce disabled the Drift connection and later suspended all Salesloft integrations. Attribution was contested (ShinyHunters vs UNC6395).<\/p>\n      <\/div>\n    <\/div>\n  <\/div>\n<\/div>\n\n<style>\n  :root{\n    --ink:#4D3B7A; --ink-soft:#5a4b85; --bg:#F9F7FF; --border:#D9D2F5;\n    --grad1:#8B70D6; --grad2:#A68FEF;\n  }\n  .tl-wrap{\n    font-family:'Poppins',sans-serif;max-width:960px;margin:36px auto;padding:24px;\n    background:var(--bg);border:1px solid var(--border);border-radius:16px;\n    box-shadow:0 10px 28px rgba(166,143,239,.12);color:var(--ink)\n  }\n  .tl-head{display:flex;justify-content:space-between;align-items:center;margin-bottom:8px}\n  .tl-title{font-weight:600;font-size:20px;margin:0}\n  .tl-range{font-size:12px;opacity:.85}\n  .timeline{position:relative;margin-top:14px;padding:18px 0 48px;max-height:520px;overflow-y:auto}\n  .tl-spine{position:absolute;left:50%;transform:translateX(-50%);width:6px;border-radius:999px;\n    background:linear-gradient(180deg, rgba(166,143,239,.15), rgba(139,112,214,.35));\n    box-shadow:inset 0 0 0 1px rgba(166,143,239,.12);top:0;height:100%}\n  .active-band{position:absolute;left:50%;transform:translateX(-50%);width:18px;border-radius:12px;\n    background:linear-gradient(180deg, rgba(166,143,239,.38), rgba(139,112,214,.65));\n    box-shadow:0 6px 16px rgba(166,143,239,.25);top:28px;height:200px}\n  .tl-item{position:relative;display:grid;grid-template-columns:1fr 1fr;gap:28px;margin:28px 0;min-height:140px}\n  .tl-item:nth-child(odd) .tl-card{grid-column:1}\n  .tl-item:nth-child(odd) .tl-spacer{grid-column:2}\n  .tl-item:nth-child(even) .tl-card{grid-column:2}\n  .tl-item:nth-child(even) .tl-spacer{grid-column:1}\n  .tl-dot{position:absolute;left:50%;top:50%;transform:translate(-50%,-50%);\n    width:20px;height:20px;border-radius:50%;background:#fff;border:2px solid var(--border);\n    box-shadow:0 6px 14px rgba(166,143,239,.22);display:grid;place-items:center;z-index:2}\n  .tl-dot::after{content:\"\";width:8px;height:8px;border-radius:50%;background:linear-gradient(135deg,var(--grad1),var(--grad2))}\n  .tl-card{background:#fff;border:1px solid #E2DAFA;border-radius:14px;box-shadow:0 10px 24px rgba(166,143,239,.12);\n    padding:16px 18px;transition:transform .12s ease, box-shadow .2s ease, border-color .2s ease}\n  .tl-card:hover{transform:translateY(-2px);box-shadow:0 14px 28px rgba(166,143,239,.18)}\n  .tl-when{font-size:12px;font-weight:600;opacity:.8;margin-bottom:6px}\n  .tl-what{font-size:16px;font-weight:600;margin:0 0 6px}\n  .tl-desc{font-size:13px;color:var(--ink-soft);line-height:1.65;margin:0}\n  @media (max-width:760px){\n    .tl-item{grid-template-columns:1fr;gap:12px}\n    .tl-dot{left:18px;transform:translate(-50%,-50%)}\n  }\n<\/style>\n\n<script>\ndocument.addEventListener(\"DOMContentLoaded\", function(){\n  const scroller = document.getElementById('tlScroll');\n  const spine = document.getElementById('tlSpine');\n  const band  = document.getElementById('activeBand');\n\n  function yWithin(el, ancestor){\n    let y=0,n=el;\n    while(n && n!==ancestor){ y+=n.offsetTop||0; n=n.offsetParent; }\n    return y;\n  }\n  function refresh(){\n    const items = scroller.querySelectorAll('.tl-item');\n    if(!items.length) return;\n    const firstDot=items[0].querySelector('.tl-dot');\n    const lastDot =items[items.length-1].querySelector('.tl-dot');\n    if(!firstDot||!lastDot) return;\n    const top = yWithin(firstDot,scroller)-2;\n    const height = (yWithin(lastDot,scroller)+lastDot.offsetHeight+2)-top;\n    spine.style.top = top+\"px\"; spine.style.height = height+\"px\";\n  }\n  refresh();\n  window.addEventListener('resize',refresh);\n});\n<\/script>\n\n\n\n\n<p>Let\u2019s break down what investigators and Zscaler disclosed about the sequence of events:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Aug 8\u201318, 2025:<\/strong> Attackers used compromised OAuth and refresh tokens tied to Drift. These tokens granted access to Salesforce environments, including Zscaler\u2019s. Attackers ran queries, pulled records, and in many cases deleted jobs afterwards to cover their tracks.<br><\/li>\n\n\n\n<li><strong>Aug 9, 2025:<\/strong> In a parallel move, Drift Email tokens were used to access a small number of Google Workspace mailboxes. Only tenants that had explicitly integrated Drift Email were affected. Workspace itself wasn\u2019t compromised.<br><\/li>\n\n\n\n<li><strong>Aug 20, 2025:<\/strong> Salesforce and Salesloft revoked all active Drift tokens to contain exposure.<br><\/li>\n\n\n\n<li><strong>Aug 28, 2025:<\/strong> Salesforce disabled the Drift connection entirely, and later suspended all Salesloft integrations pending investigation.<\/li>\n<\/ul>\n\n\n\n<p>Attribution is muddy. A group known as <strong>ShinyHunters<\/strong> claimed responsibility, but Google\u2019s Threat Intelligence Group linked the campaign to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/data-theft-salesforce-instances-via-salesloft-drift\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>UNC6395<\/strong><\/a>. Their forensic evidence pointed to the same token replay and Salesforce-focused activity seen across multiple enterprises in August.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Data_Was_Exposed\"><\/span>What Data Was Exposed?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Zscaler confirmed that the attackers accessed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Contact details<\/strong>: Names, business emails, job titles, phone numbers, location data.<br><\/li>\n\n\n\n<li><strong>Commercial\/licensing information<\/strong>: Details tied to customer entitlements and product usage.<br><\/li>\n\n\n\n<li><strong>Support case text<\/strong>: The riskiest category. Some tickets contained plain-text credentials, API keys, and cloud tokens pasted in by customers.<\/li>\n<\/ul>\n\n\n\n<p>This wasn\u2019t a case of credit card numbers spilling onto forums. Instead, it\u2019s about <strong>information that makes targeted attacks easier<\/strong>. With job titles and regions, spear-phishing campaigns get sharper. With licensing info, attackers can pose as account managers or service reps. And with any secrets buried in case text, the path to lateral compromise gets shorter.<br><\/p>\n\n\n\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@500;600&#038;display=swap\" rel=\"stylesheet\">\n\n<style>\n  .luxury-cta-container {\n    text-align: center;\n    margin: 40px 0;\n  }\n\n  .luxury-cta-button {\n    background: linear-gradient(135deg, #8B70D6, #A68FEF);\n    color: #fff;\n    padding: 16px 40px;\n    border: none;\n    border-radius: 12px;\n    font-family: 'Poppins', sans-serif;\n    font-weight: 600;\n    font-size: 18px;\n    cursor: pointer;\n    text-decoration: none;\n    display: inline-block;\n    box-shadow: 0 10px 30px rgba(166, 143, 239, 0.25);\n    transition: transform 0.3s ease, box-shadow 0.3s ease;\n  }\n\n  .luxury-cta-button:hover {\n    transform: translateY(-2px);\n    box-shadow: 0 15px 35px rgba(166, 143, 239, 0.35);\n  }\n<\/style>\n\n<div class=\"luxury-cta-container\">\n  <a href=\"https:\/\/chat.openai.com\/?q=Summarize%20this%20article%20from%20https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\"\n     target=\"_blank\"\n     class=\"luxury-cta-button\">\n    Summarize This Article On ChatGPT\n  <\/a>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_OAuth_Supply-Chain_Attacks_Are_Growing\"><\/span>Why OAuth Supply-Chain Attacks Are Growing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The breach is a masterclass in why OAuth tokens are such a tempting target.<\/p>\n\n\n\n<p>Unlike passwords, tokens don\u2019t require re-authentication once issued. They bypass MFA prompts and logins entirely. As long as the token is valid, the system trusts it. Attackers love them for that reason: they\u2019re silent, persistent, and often overlooked until it\u2019s too late.<\/p>\n\n\n\n<p>In this case, Drift was the Trojan horse. Companies trusted the integration, granted permissions, and left the tokens in place. When attackers compromised Drift, they inherited all that trust.<\/p>\n\n\n\n<p>This isn\u2019t unique to <a href=\"https:\/\/www.zscaler.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>Zscaler<\/strong><\/a>. SaaS-to-SaaS compromises are rising because enterprises rarely audit connected apps. Tokens sit unused but valid. Permissions are granted broadly. Once stolen, they work until revoked.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Zscalers_Response\"><\/span>Zscaler\u2019s Response<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@400;600&#038;display=swap\" rel=\"stylesheet\"\/>\n\n<style>\n  :root{\n    --ink:#4D3B7A; --ink-soft:#6a5d96;\n    --bg:#F9F7FF; --card:#ffffff; --border:#E4DEF7;\n    --brand:#8B70D6;\n    --good:#199E7A; --mid:#B8851A; --bad:#B83E3E;\n  }\n\n  *{box-sizing:border-box}\n  body{margin:0; background:var(--bg); color:var(--ink); font-family:Poppins,system-ui,sans-serif}\n\n  .wrap{max-width:760px; margin:48px auto; padding:0 18px}\n  .card{\n    position:relative; background:var(--card); border:1px solid var(--border); border-radius:16px;\n    box-shadow:0 8px 24px rgba(166,143,239,.10); padding:22px 20px;\n  }\n  .ribbon{position:absolute; inset:0 0 auto 0; height:8px; border-radius:16px 16px 0 0;\n    background:linear-gradient(90deg, rgba(139,112,214,.28), rgba(166,143,239,.22));}\n\n  h1{margin:6px 0 6px; font-size:20px; font-weight:600}\n  .sub{margin:0 0 18px; font-size:12px; color:var(--ink-soft)}\n\n  .helper{background:#FAF7FF; border:1px solid var(--border); border-radius:12px;\n    padding:10px 14px; font-size:13px; margin-bottom:16px; color:var(--ink-soft)}\n\n  .grid{display:grid; grid-template-columns:1fr 1fr; gap:12px}\n  @media (max-width:720px){ .grid{grid-template-columns:1fr} }\n\n  .field{display:flex; flex-direction:column; gap:6px}\n  label{font-size:13px; font-weight:600}\n  input{\n    width:100%; padding:12px 12px; border:1px solid var(--border); border-radius:12px;\n    font:600 14px\/1 Poppins,system-ui,sans-serif; color:var(--ink);\n  }\n  input:focus{outline:none; box-shadow:0 0 0 4px #EDE7FF}\n\n  .hint{font-size:12px; color:var(--ink-soft); margin-top:4px}\n\n  .actions{display:flex; gap:10px; margin-top:12px}\n  button{\n    appearance:none; border:1px solid var(--border); background:#fff; color:var(--ink);\n    padding:10px 12px; border-radius:10px; font-weight:600; cursor:pointer;\n    transition:transform .08s ease, box-shadow .18s ease, background .18s ease;\n  }\n  button:focus-visible{outline:none; box-shadow:0 0 0 4px #EDE7FF}\n  .primary{background:var(--brand); border-color:var(--brand); color:#fff; box-shadow:0 8px 18px rgba(139,112,214,.18)}\n  .primary:hover{filter:brightness(.96); transform:translateY(-1px)}\n  .ghost:hover{background:#FAF7FF}\n\n  .results{display:none; margin-top:16px}\n  .bands{display:grid; grid-template-columns:1fr 1fr 1fr; gap:12px}\n  @media (max-width:720px){ .bands{grid-template-columns:1fr} }\n\n  .band{border:1px solid var(--border); border-radius:14px; background:#fff; padding:14px;\n    box-shadow:0 8px 18px rgba(166,143,239,.06)}\n  .band h3{margin:0 0 6px; font-size:14px; font-weight:700}\n  .band small{display:block; color:var(--ink-soft); margin-bottom:8px}\n  .val{font-size:20px; font-weight:700; margin:2px 0}\n  .good{color:var(--good)} .mid{color:var(--mid)} .bad{color:var(--bad)}\n  .assump{margin:8px 0 0; padding-left:16px; font-size:12px; color:var(--ink-soft)}\n  .assump li{margin:.22rem 0}\n\n  .note{margin-top:10px; font-size:12px; color:var(--ink-soft)}\n<\/style>\n\n<div class=\"wrap\">\n  <div class=\"card\" id=\"estimator\">\n    <div class=\"ribbon\" aria-hidden=\"true\"><\/div>\n\n    <h1><span class=\"ez-toc-section\" id=\"Financial_Impact_Estimator\"><\/span>Financial Impact Estimator<span class=\"ez-toc-section-end\"><\/span><\/h1>\n    <p class=\"sub\">Estimate potential revenue exposure if customer data is phished or abused post-breach.<\/p>\n\n    <div class=\"helper\">\n      Not sure about your numbers? Try the defaults below to see scale. Adjust to fit your own business.\n    <\/div>\n\n    <div class=\"grid\">\n      <div class=\"field\">\n        <label for=\"accounts\">Number of Salesforce users<\/label>\n        <input id=\"accounts\" type=\"number\" min=\"0\" step=\"1\" value=\"1000\">\n        <div class=\"hint\">Default: 1,000<\/div>\n      <\/div>\n      <div class=\"field\">\n        <label for=\"arpa\">Average revenue per account<\/label>\n        <input id=\"arpa\" type=\"number\" min=\"0\" step=\"0.01\" value=\"1200\">\n        <div class=\"hint\">Default: $1,200 annually<\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"actions\">\n      <button class=\"primary\" type=\"button\" id=\"calc\">Estimate Exposure<\/button>\n      <button class=\"ghost\" type=\"button\" id=\"reset\">Reset<\/button>\n    <\/div>\n\n    <div class=\"results\" id=\"results\">\n      <div class=\"bands\">\n        <div class=\"band\">\n          <h3 class=\"good\"><span class=\"ez-toc-section\" id=\"Conservative\"><\/span>Conservative<span class=\"ez-toc-section-end\"><\/span><\/h3>\n          <small>1% targeted succeed \u00d7 20% revenue impact<\/small>\n          <div class=\"val\" id=\"outCon\">\u2014<\/div>\n        <\/div>\n        <div class=\"band\">\n          <h3 class=\"mid\"><span class=\"ez-toc-section\" id=\"Expected\"><\/span>Expected<span class=\"ez-toc-section-end\"><\/span><\/h3>\n          <small>3% targeted succeed \u00d7 30% revenue impact<\/small>\n          <div class=\"val\" id=\"outExp\">\u2014<\/div>\n        <\/div>\n        <div class=\"band\">\n          <h3 class=\"bad\"><span class=\"ez-toc-section\" id=\"Severe\"><\/span>Severe<span class=\"ez-toc-section-end\"><\/span><\/h3>\n          <small>8% targeted succeed \u00d7 40% revenue impact<\/small>\n          <div class=\"val\" id=\"outSev\">\u2014<\/div>\n        <\/div>\n      <\/div>\n\n      <p class=\"note\">\n        Exposure is an estimate for planning\u2014actual impact varies by token scopes, detection speed, and incident response.\n      <\/p>\n    <\/div>\n  <\/div>\n<\/div>\n\n<script>\n(function(){\n  const $ = id => document.getElementById(id);\n  const accountsEl = $('accounts');\n  const arpaEl = $('arpa');\n  const outCon = $('outCon'), outExp = $('outExp'), outSev = $('outSev');\n  const results = $('results');\n\n  const fmt = (n) => '$ ' + n.toLocaleString(undefined, {maximumFractionDigits: 0});\n\n  const SCENARIOS = {\n    con: {sr: 0.01, impact: 0.20},\n    exp: {sr: 0.03, impact: 0.30},\n    sev: {sr: 0.08, impact: 0.40}\n  };\n\n  function calc(){\n    const accounts = Number(accountsEl.value) || 0;\n    const arpa = Number(arpaEl.value) || 0;\n    if (accounts <= 0 || arpa <= 0){\n      results.style.display = 'none';\n      return;\n    }\n\n    const con = accounts * arpa * SCENARIOS.con.sr * SCENARIOS.con.impact;\n    const exp = accounts * arpa * SCENARIOS.exp.sr * SCENARIOS.exp.impact;\n    const sev = accounts * arpa * SCENARIOS.sev.sr * SCENARIOS.sev.impact;\n\n    outCon.textContent = fmt(con);\n    outExp.textContent = fmt(exp);\n    outSev.textContent = fmt(sev);\n\n    results.style.display = 'block';\n  }\n\n  function resetAll(){\n    accountsEl.value = 1000;\n    arpaEl.value = 1200;\n    calc();\n  }\n\n  $('calc').addEventListener('click', calc);\n  $('reset').addEventListener('click', resetAll);\n\n  \/\/ auto-run once with defaults\n  calc();\n})();\n<\/script>\n\n\n\n<p>Zscaler\u2019s public statement emphasized a few critical points:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hackers compromised <strong>Salesforce<\/strong> instance.<br><\/li>\n\n\n\n<li><strong>Core products and infrastructure<\/strong> were not touched.<br><\/li>\n\n\n\n<li>Compromised tokens were <strong>revoked<\/strong> once discovered.<br><\/li>\n\n\n\n<li>Customers were <strong>notified<\/strong> and advised to watch for phishing.<\/li>\n<\/ul>\n\n\n\n<p>The company also worked directly with Salesforce as the platform vendor, aligning on containment measures like revoking Drift tokens and later disabling integrations altogether.<\/p>\n\n\n\n<p>From a communication standpoint, Zscaler moved quickly. The transparency helped, but for security buyers, the takeaway isn\u2019t just about Zscaler\u2019s speed; it\u2019s about whether their own <a href=\"https:\/\/www.purewl.com\/industries\/white-label-saas\/\" target=\"_blank\" rel=\"noreferrer noopener\">SaaS <\/a>monitoring would catch a similar attack inside their environments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Lessons_for_Businesses\"><\/span>Lessons for Businesses<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\"\/>\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"\/>\n<title>Token Lifecycle Visualizer<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@400;600;700&#038;display=swap\" rel=\"stylesheet\"\/>\n\n<style>\n  :root{\n    --ink:#4D3B7A; --ink-soft:#6a5d96;\n    --bg:#F9F7FF; --card:#ffffff; --border:#E4DEF7;\n    --brand:#8B70D6; --brand2:#A68FEF;\n    --ok:#16a34a; --warn:#f59e0b; --bad:#ef4444;\n    --shadow:0 10px 28px rgba(166,143,239,.12);\n  }\n  *{box-sizing:border-box}\n  body{margin:0; background:var(--bg); color:var(--ink); font-family:Poppins,system-ui,sans-serif}\n\n  .wrap{max-width:960px; margin:48px auto; padding:0 18px}\n  .viz{\n    background:var(--card); border:1px solid var(--border); border-radius:18px; box-shadow:var(--shadow);\n    padding:22px 18px 18px; position:relative; overflow:hidden;\n  }\n  .ribbon{position:absolute; inset:0 0 auto 0; height:8px; border-radius:18px 18px 0 0;\n    background:linear-gradient(90deg, rgba(139,112,214,.28), rgba(166,143,239,.22));}\n  .head{display:flex; justify-content:space-between; align-items:end; gap:12px; margin-bottom:10px}\n  .title{margin:0; font-size:20px; font-weight:700; letter-spacing:.2px}\n  .sub{margin:2px 0 0; font-size:12px; color:var(--ink-soft)}\n\n  \/* Track *\/\n  .track{\n    position:relative; height:140px; margin:10px 0 6px; padding:0 8px;\n  }\n  .spine{\n    position:absolute; left:26px; right:26px; top:50%; height:6px; transform:translateY(-50%);\n    background:#F1ECFF; border:1px solid var(--border); border-radius:999px; overflow:hidden;\n  }\n  .progress{\n    position:absolute; left:0; top:0; height:100%; width:0%;\n    background:linear-gradient(90deg, var(--brand), var(--brand2), var(--warn), var(--bad));\n    transition:width .4s ease;\n  }\n  \/* light ticks for elegance *\/\n  .spine::after{\n    content:\"\"; position:absolute; inset:0; pointer-events:none;\n    background:repeating-linear-gradient(90deg, transparent 0 56px, rgba(139,112,214,.08) 56px 57px);\n  }\n\n  .nodes{\n    position:absolute; inset:0; display:flex; align-items:center; justify-content:space-between; padding:0 18px; list-style:none; margin:0;\n  }\n  .node{\n    position:relative; width:28px; height:28px; border-radius:999px; background:#fff; border:2px solid var(--border);\n    display:grid; place-items:center; z-index:2; transition:transform .18s ease, box-shadow .18s ease, border-color .18s ease;\n  }\n  .node .inner{width:10px; height:10px; border-radius:999px; background:linear-gradient(135deg,var(--brand),var(--brand2))}\n  .node.past{border-color:transparent; box-shadow:0 10px 22px rgba(139,112,214,.22)}\n  .node.past .inner{background:linear-gradient(135deg,var(--brand2),var(--brand))}\n  .node.active{transform:scale(1.08); border-color:transparent; box-shadow:0 12px 28px rgba(139,112,214,.28)}\n  .node.badge::after{ \/* small \"No MFA\" chip at step 3 *\/\n    content:\"No MFA required\"; position:absolute; top:-30px; left:50%; transform:translateX(-50%);\n    font-size:10px; font-weight:700; color:#7a4e0a; background:#FFF7E6; border:1px solid #FFE0AD; border-radius:999px; padding:4px 8px; white-space:nowrap;\n  }\n\n  \/* Panel *\/\n  .panel{\n    border:1px solid var(--border); border-radius:14px; padding:14px; background:#fff; box-shadow:0 6px 18px rgba(166,143,239,.08)\n  }\n  .panel-head{display:flex; align-items:center; gap:10px; margin-bottom:6px; flex-wrap:wrap}\n  .step-index{font-weight:700; font-size:12px; padding:4px 8px; border-radius:999px; background:#F1ECFF; border:1px solid var(--border)}\n  .danger{color:#8a2b2b; background:#FFECEC; border-color:#ffd3d3}\n  .panel-title{margin:0; font-size:16px; font-weight:700}\n  .panel-body{font-size:14px; color:var(--ink-soft); line-height:1.6}\n  .why{margin:8px 0 0; padding-left:18px}\n  .why li{margin:.25rem 0}\n\n  \/* Controls *\/\n  .controls{display:flex; gap:10px; margin-top:12px; flex-wrap:wrap}\n  .btn{\n    appearance:none; border:1px solid var(--border); background:#fff; color:var(--ink);\n    padding:10px 12px; border-radius:10px; font-weight:600; cursor:pointer;\n    transition:transform .08s ease, box-shadow .18s ease, background .18s ease;\n  }\n  .btn:focus-visible{outline:none; box-shadow:0 0 0 4px #EDE7FF}\n  .primary{background:var(--brand); border-color:var(--brand); color:#fff; box-shadow:0 8px 18px rgba(139,112,214,.18)}\n  .primary:hover{filter:brightness(.96); transform:translateY(-1px)}\n  .ghost:hover{background:#FAF7FF}\n  .play{display:flex; align-items:center; gap:8px}\n  .play-dot{width:8px; height:8px; border-radius:999px; background:#c9c1ee; box-shadow:0 0 0 0 rgba(166,143,239,.0); transition:box-shadow .3s ease}\n  .playing .play-dot{box-shadow:0 0 0 6px rgba(166,143,239,.15)}\n\n  \/* Mild state tint when in danger steps *\/\n  .viz.danger .panel{border-color:#ffd3d3}\n<\/style>\n<\/head>\n<body>\n  <div class=\"wrap\">\n    <section class=\"viz\" id=\"viz\" aria-label=\"Token Lifecycle Visualizer\">\n      <div class=\"ribbon\" aria-hidden=\"true\"><\/div>\n      <div class=\"head\">\n        <div>\n          <h2 class=\"title\"><span class=\"ez-toc-section\" id=\"Token_Lifecycle_Visualizer\"><\/span>Token Lifecycle Visualizer<span class=\"ez-toc-section-end\"><\/span><\/h2>\n          <p class=\"sub\">User authorizes \u2192 token issued \u2192 trusted access (no MFA) \u2192 token stolen \u2192 attacker uses token.<\/p>\n        <\/div>\n      <\/div>\n\n      <!-- Track -->\n      <div class=\"track\" id=\"track\">\n        <div class=\"spine\"><div class=\"progress\" id=\"progress\"><\/div><\/div>\n        <ol class=\"nodes\" aria-label=\"Lifecycle steps\">\n          <li class=\"node\" data-step=\"0\" title=\"User authorizes app\"><span class=\"inner\"><\/span><\/li>\n          <li class=\"node\" data-step=\"1\" title=\"OAuth token created\"><span class=\"inner\"><\/span><\/li>\n          <li class=\"node badge\" data-step=\"2\" title=\"Token valid (No MFA required)\"><span class=\"inner\"><\/span><\/li>\n          <li class=\"node\" data-step=\"3\" title=\"Token stolen\"><span class=\"inner\"><\/span><\/li>\n          <li class=\"node\" data-step=\"4\" title=\"Attacker gains access\"><span class=\"inner\"><\/span><\/li>\n        <\/ol>\n      <\/div>\n\n      <!-- Panel -->\n      <div class=\"panel\" role=\"region\" aria-live=\"polite\">\n        <div class=\"panel-head\">\n          <span class=\"step-index\" id=\"stepIndex\">Step 1 of 5<\/span>\n          <h3 class=\"panel-title\" id=\"panelTitle\"><span class=\"ez-toc-section\" id=\"User_authorizes_app\"><\/span>User authorizes app<span class=\"ez-toc-section-end\"><\/span><\/h3>\n        <\/div>\n        <div class=\"panel-body\" id=\"panelBody\">\n          The user consents to an application\u2019s requested scopes (permissions). Trust is established between your tenant and the app.\n          <ul class=\"why\">\n            <li>Enterprises often approve integrations broadly to \u201cunblock\u201d teams.<\/li>\n          <\/ul>\n        <\/div>\n      <\/div>\n\n      <!-- Controls -->\n      <div class=\"controls\">\n        <button class=\"btn ghost\" id=\"prevBtn\" type=\"button\" aria-label=\"Previous step\">\u25c0\ufe0e Previous<\/button>\n        <button class=\"btn primary\" id=\"nextBtn\" type=\"button\" aria-label=\"Next step\">Next \u25b6\ufe0e<\/button>\n        <button class=\"btn play\" id=\"playBtn\" type=\"button\" aria-label=\"Auto-play\">\n          <span class=\"play-dot\" aria-hidden=\"true\"><\/span> Auto-play\n        <\/button>\n        <button class=\"btn ghost\" id=\"resetBtn\" type=\"button\">Reset<\/button>\n      <\/div>\n    <\/section>\n  <\/div>\n\n<script>\n(function(){\n  const steps = [\n    {\n      title: \"User authorizes app\",\n      body: `The user consents to an application\u2019s requested scopes (permissions). Trust is established between your tenant and the app.`,\n      why: [\n        \"Enterprises often approve integrations broadly to \u201cunblock\u201d teams.\"\n      ],\n      danger: false\n    },\n    {\n      title: \"OAuth token created\",\n      body: `The app receives access\/refresh tokens for the granted scopes.`,\n      why: [\n        \"Tokens are bearer credentials\u2014possession implies permission.\"\n      ],\n      danger: false\n    },\n    {\n      title: \"Token valid (no MFA required)\",\n      body: `As long as the token is valid, services trust it without re-auth. No MFA prompts are required on each use.`,\n      why: [\n        \"Long-lived refresh tokens can silently mint new access tokens.\",\n        \"Tokens sit unused but valid unless routinely rotated or revoked.\"\n      ],\n      danger: false\n    },\n    {\n      title: \"Token stolen\",\n      body: `An attacker obtains the token (e.g., vendor breach, logs, phishing, host compromise).`,\n      why: [\n        \"SaaS-to-SaaS trust is inherited\u2014if a connected vendor is compromised, your token can be too.\",\n        \"Monitoring often focuses on passwords, not tokens.\"\n      ],\n      danger: true\n    },\n    {\n      title: \"Attacker gains access\",\n      body: `The attacker calls APIs\/services under the token\u2019s scopes\u2014quietly, without MFA. Activity can blend in as the app.`,\n      why: [\n        \"Abuse persists until the token is revoked or expires.\",\n        \"Broad scopes enable data exfiltration and lateral movement.\"\n      ],\n      danger: true\n    }\n  ];\n\n  \/\/ Elements\n  const viz = document.getElementById('viz');\n  const progress = document.getElementById('progress');\n  const nodes = Array.from(document.querySelectorAll('.node'));\n  const stepIndex = document.getElementById('stepIndex');\n  const panelTitle = document.getElementById('panelTitle');\n  const panelBody = document.getElementById('panelBody');\n  const prevBtn = document.getElementById('prevBtn');\n  const nextBtn = document.getElementById('nextBtn');\n  const playBtn = document.getElementById('playBtn');\n\n  const resetBtn = document.getElementById('resetBtn');\n\n  let i = 0;\n  let playing = false;\n  let timer = null;\n\n  function render(){\n    \/\/ progress width as fraction of path (0..100)\n    const percent = (i\/(steps.length-1))*100;\n    progress.style.width = percent + '%';\n\n    \/\/ nodes state\n    nodes.forEach((n, idx)=>{\n      n.classList.toggle('past', idx < i);\n      n.classList.toggle('active', idx === i);\n      n.setAttribute('aria-current', idx === i ? 'step' : 'false');\n    });\n\n    \/\/ panel\n    const s = steps[i];\n    stepIndex.textContent = `Step ${i+1} of ${steps.length}`;\n    stepIndex.classList.toggle('danger', !!s.danger);\n    panelTitle.textContent = s.title;\n\n    panelBody.innerHTML = `\n      ${s.body}\n      <ul class=\"why\">\n        ${s.why.map(x=>`<li>${x}<\/li>`).join('')}\n      <\/ul>\n    `;\n\n    \/\/ tint container on danger\n    viz.classList.toggle('danger', !!s.danger);\n\n    \/\/ buttons\n    prevBtn.disabled = (i===0);\n    nextBtn.disabled = (i===steps.length-1);\n  }\n\n  function next(){\n    if (i < steps.length-1){ i++; render(); }\n    else stop();\n  }\n  function prev(){\n    if (i > 0){ i--; render(); }\n  }\n  function reset(){\n    i = 0; stop(); render();\n  }\n  function play(){\n    if (playing) { stop(); return; }\n    playing = true;\n    document.body.classList.add('playing');\n    tick();\n  }\n  function stop(){\n    playing = false;\n    document.body.classList.remove('playing');\n    if (timer){ clearTimeout(timer); timer = null; }\n  }\n  function tick(){\n    if (!playing) return;\n    next();\n    timer = setTimeout(()=>{\n      if (i < steps.length-1) tick();\n      else stop();\n    }, 1400);\n  }\n\n  \/\/ interactions\n  nextBtn.addEventListener('click', next);\n  prevBtn.addEventListener('click', prev);\n  resetBtn.addEventListener('click', reset);\n  playBtn.addEventListener('click', play);\n\n  \/\/ click on a node to jump\n  nodes.forEach(n => n.addEventListener('click', ()=>{\n    i = parseInt(n.dataset.step, 10); render();\n  }));\n\n  \/\/ keyboard shortcuts\n  document.addEventListener('keydown', (e)=>{\n    if (e.key === 'ArrowRight') next();\n    if (e.key === 'ArrowLeft')  prev();\n  });\n\n  \/\/ init\n  render();\n})();\n<\/script>\n<\/body>\n<\/html>\n\n\n\n<p>If you\u2019re running Salesforce, Google Workspace, or any other SaaS with third-party integrations, here\u2019s what this breach tells you:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Stop putting secrets in tickets.<\/strong> Support case text is not a password vault. If you need to share keys, use secure transfer mechanisms. Assume tickets may be exposed in a breach.<br><\/li>\n\n\n\n<li><strong>Audit your OAuth tokens.<\/strong> Know which connected apps have access to your systems. If you don\u2019t use them, revoke them.<br><\/li>\n\n\n\n<li><strong>Rotate aggressively.<\/strong> Don\u2019t wait for a breach to refresh <a href=\"https:\/\/www.purewl.com\/developers\/\">API keys and tokens<\/a>. Build it into your routine.<br><\/li>\n\n\n\n<li><strong>Harden your permissions.<\/strong> Use least-privilege scopes. Avoid \u201cAPI Enabled\u201d on profiles that don\u2019t need it. Enforce login IP ranges.<br><\/li>\n\n\n\n<li><strong>Prepare for phishing waves.<\/strong> Expect attackers to reference real case numbers or product names in lures. Train staff and add verification steps.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_the_Breach_Reveals_About_Zscalers_Own_Stack\"><\/span>What the Breach Reveals About Zscaler\u2019s Own Stack?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"876\" height=\"493\" src=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-16.png\" alt=\"Venn diagram categorizing Zscaler products in response to the Zscaler data breach, featuring EASM, threat hunting, identity, and ITDR capabilities.\" class=\"wp-image-3976\" srcset=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-16.png 876w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-16-711x400.png 711w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-16-768x432.png 768w\" sizes=\"auto, (max-width: 876px) 100vw, 876px\" \/><\/figure>\n\n\n\n<p>Ironically, Zscaler markets solutions that address some of these risks. The breach doesn\u2019t invalidate their products, but it does highlight the importance of using them fully:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Zscaler EASM (External Attack Surface Management):<\/strong> Helps identify exposed SaaS connectors, misconfigured apps, and shadow IT. A tool like this can catch risky integrations like Drift before they become attack paths.<br><\/li>\n\n\n\n<li><strong>Zscaler breach predictor:<\/strong> Uses modeling to simulate exploit paths and highlight weak links in identity or SaaS access.<br><\/li>\n\n\n\n<li><strong>Zscaler ITDR (Identity Threat Detection and Response):<\/strong> Detects suspicious token usage, anomalous session activity, and identity abuse consistent with what happened here.<br><\/li>\n\n\n\n<li><strong>Zscaler threat hunting:<\/strong> Provides proactive searches across tenant telemetry to spot stealthy behavior like job deletions.<br><\/li>\n\n\n\n<li><strong>Zscaler UVM automation:<\/strong> Answers the classic training question: <em>Which of the following action does Zscaler UVM automate?<\/em> \u2192 UVM automates vulnerability posture updates and remediation workflows, so gaps get closed quickly.<br><\/li>\n\n\n\n<li><strong>Zscaler Risk360:<\/strong> To the question <em>How does Zscaler Risk360 help organizations allocate their cybersecurity budget?<\/em>\u2014it quantifies financial loss exposure across risk vectors, letting CISOs prioritize budget by business impact.<br><\/li>\n\n\n\n<li><strong>Zscaler Identity:<\/strong> Enforces strong identity controls and ties SaaS access back to verified users, reducing the persistence of stolen tokens.<\/li>\n<\/ul>\n\n\n\n<p>The irony is clear: tools exist to prevent or detect these attacks, but supply-chain trust remains a blind spot.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Minute_Details_Many_Reports_Missed\"><\/span>Minute Details Many Reports Missed<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"876\" height=\"493\" src=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123526\/Port-Forwarding-2025-09-02T171720.258.png\" alt=\"Visual iceberg diagram unveiling hidden depths of the Zscaler data breach, highlighting job deletion stealth, workspace scope, AppExchange actions, and attribution caution.\" class=\"wp-image-3979\" srcset=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123526\/Port-Forwarding-2025-09-02T171720.258.png 876w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123526\/Port-Forwarding-2025-09-02T171720.258-711x400.png 711w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123526\/Port-Forwarding-2025-09-02T171720.258-768x432.png 768w\" sizes=\"auto, (max-width: 876px) 100vw, 876px\" \/><\/figure>\n\n\n\n<p>Most coverage of the Zscaler data breach was high level. Here are details that didn\u2019t always make the cut, but matter:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Job deletion as stealth:<\/strong> Attackers deleted jobs in Salesforce after running queries, so absence of jobs is itself a hunting indicator.<br><\/li>\n\n\n\n<li><strong>AppExchange actions:<\/strong> Salesforce not only revoked tokens but fully <strong>removed Drift<\/strong> and later disabled <strong>all Salesloft integrations<\/strong>. That matters because even tenants who never noticed Drift were impacted by revocation.<br><\/li>\n\n\n\n<li><strong>Workspace scope:<\/strong> Google Workspace wasn\u2019t breached. Only mailboxes explicitly tied to Drift Email were accessed on <strong>Aug 9<\/strong>. Over-rotating your entire domain isn\u2019t necessary unless you had that integration.<br><\/li>\n\n\n\n<li><strong>Attribution caution:<\/strong> ShinyHunters claimed the breach, but Google\u2019s analysis attributes it to UNC6395. For enterprises, attribution isn\u2019t as important as IOCs, but it shows how public claims muddy response.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Companies_Should_Do_Now\"><\/span>What Companies Should Do Now?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"876\" height=\"493\" src=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-17.png\" alt=\"Infographic showing six steps to enhance Salesforce security against the Zscaler data breach, including vendor risk, app scopes, and compliance planning.\" class=\"wp-image-3977\" srcset=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-17.png 876w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-17-711x400.png 711w, https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123255\/image-17-768x432.png 768w\" sizes=\"auto, (max-width: 876px) 100vw, 876px\" \/><\/figure>\n\n\n\n<p>Here\u2019s a step-by-step playbook:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Hunt Salesforce logs:<\/strong> Review Connected App auth, unusual SOQL queries, bulk job activity, and deletions from Aug 8\u201318.<br><\/li>\n\n\n\n<li><strong>Search case text:<\/strong> Look for strings like AKIA, SNOWFLAKE, client_secret, password. If found, rotate those secrets.<br><\/li>\n\n\n\n<li><strong>Revoke unused apps:<\/strong> Remove Drift or other inactive integrations from Salesforce and Workspace.<br><\/li>\n\n\n\n<li><strong>Tighten app scopes:<\/strong> Restrict permissions to the bare minimum.<br><\/li>\n\n\n\n<li><strong>Revisit vendor risk policies:<\/strong> This wasn\u2019t Salesforce\u2019s bug, but their connected app ecosystem. Vendor risk reviews must cover integrations, not just the core platform.<br><\/li>\n\n\n\n<li><strong>Plan comms and compliance:<\/strong> Personal data like names and emails may trigger GDPR\/CCPA reporting. If secrets touch regulated systems, prepare notifications.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Beyond_SaaS_Controls_The_Case_for_VPNs\"><\/span>Beyond SaaS Controls: The Case for VPNs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>While OAuth governance and SaaS monitoring are critical, there\u2019s a gap that still needs coverage: <strong>data in transit<\/strong>. Once information leaves a device, it\u2019s at risk. VPN encryption closes that hole.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"PureVPN_White_Label_-_Extending_SaaS_Security\"><\/span>PureVPN White Label - Extending SaaS Security<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Resellers and <a href=\"https:\/\/www.purewl.com\/industries\/managed-service-providers\/\" target=\"_blank\" rel=\"noreferrer noopener\">MSPs <\/a>using PureVPN White Label can add value by pairing SaaS controls with VPN security:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Offer <strong>per-app or full-device VPN<\/strong> that aligns with mobile or EMM policies.<br><\/li>\n\n\n\n<li>Guarantee <strong>end-to-end encryption<\/strong> for sensitive traffic.<br><\/li>\n\n\n\n<li>Help clients demonstrate compliance with HIPAA, ISO 27001, GDPR, and similar frameworks.<br><\/li>\n\n\n\n<li>Create recurring revenue streams while solving a compliance requirement.<\/li>\n<\/ul>\n\n\n\n<p>This is where resellers differentiate. SaaS vendors protect their platforms, but customers need <strong>end-to-end security<\/strong>. Pairing VPN encryption with SaaS security delivers layered defense.<\/p>\n\n\n\n<div class=\"wp-block-buttons text-center is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-1 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-text-color has-background has-link-color wp-element-button\" href=\"http:\/\/purevpn.com\/white-label\/\" style=\"color:#fdfafa;background-color:#b15aff\" target=\"_blank\" rel=\"noreferrer noopener\">Join PureVPN's White Label Program<\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:52px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@500;600&#038;display=swap\" rel=\"stylesheet\">\n\n<style>\n  .faq-container {\n    font-family: 'Poppins', sans-serif;\n    max-width: 700px;\n    margin: 40px auto;\n    background: #F9F7FF;\n    border: 1px solid #D9D2F5;\n    border-radius: 18px;\n    box-shadow: 0 10px 30px rgba(166, 143, 239, 0.12);\n    padding: 30px;\n  }\n\n  .faq-title {\n    font-size: 20px;\n    font-weight: 600;\n    color: #4D3B7A;\n    margin-bottom: 20px;\n    text-align: center;\n  }\n\n  .faq-item {\n    background: #FFFFFF;\n    border: 1px solid #E2DAFA;\n    border-radius: 12px;\n    margin-bottom: 12px;\n    overflow: hidden;\n    box-shadow: 0 5px 20px rgba(166, 143, 239, 0.08);\n  }\n\n  .faq-question {\n    background: #F3EEFF;\n    padding: 15px;\n    cursor: pointer;\n    font-weight: 500;\n    color: #4D3B7A;\n    display: flex;\n    justify-content: space-between;\n    align-items: center;\n    font-size: 15px;\n  }\n\n  .faq-question:hover {\n    background: #EDE6FF;\n  }\n\n  .faq-answer {\n    display: none;\n    padding: 15px;\n    color: #5a4b85;\n    font-size: 14px;\n    line-height: 1.6;\n    border-top: 1px solid #E2DAFA;\n  }\n\n  .faq-icon {\n    font-weight: 600;\n    font-size: 18px;\n    transition: transform 0.3s ease;\n  }\n\n  .faq-item.active .faq-icon {\n    transform: rotate(45deg);\n  }\n<\/style>\n\n<div class=\"faq-container\">\n  <div class=\"faq-title\">Frequently Asked Questions<\/div>\n\n  <div class=\"faq-item\">\n    <div class=\"faq-question\">\n      What happened in the Zscaler data breach?\n      <span class=\"faq-icon\">+<\/span>\n    <\/div>\n    <div class=\"faq-answer\">\n      Attackers stole OAuth tokens from the Drift integration, which gave them access to Zscaler\u2019s Salesforce instance. They exposed customer contact info and some support case text, but Zscaler\u2019s products and infrastructure were not compromised.\n    <\/div>\n  <\/div>\n\n  <div class=\"faq-item\">\n    <div class=\"faq-question\">\n      What kind of data was exposed?\n      <span class=\"faq-icon\">+<\/span>\n    <\/div>\n    <div class=\"faq-answer\">\n      Names, emails, phone numbers, job titles, licensing details, and plain-text support case content. In some cases, that could include sensitive credentials pasted into tickets.\n    <\/div>\n  <\/div>\n\n  <div class=\"faq-item\">\n    <div class=\"faq-question\">\n      Was Google Workspace also compromised?\n      <span class=\"faq-icon\">+<\/span>\n    <\/div>\n    <div class=\"faq-answer\">\n      No. Workspace itself was not breached. Only a small number of mailboxes integrated with Drift Email were accessed briefly on Aug 9.\n    <\/div>\n  <\/div>\n\n  <div class=\"faq-item\">\n    <div class=\"faq-question\">\n      Who is behind the breach?\n      <span class=\"faq-icon\">+<\/span>\n    <\/div>\n    <div class=\"faq-answer\">\n      A group known as UNC6395 is attributed by Google Threat Intelligence. Another group, ShinyHunters, claimed responsibility, but evidence doesn\u2019t support their claim.\n    <\/div>\n  <\/div>\n\n  <div class=\"faq-item\">\n    <div class=\"faq-question\">\n      What should businesses do next?\n      <span class=\"faq-icon\">+<\/span>\n    <\/div>\n    <div class=\"faq-answer\">\n      Audit and revoke Drift tokens, hunt Salesforce logs, rotate any exposed secrets, and strengthen OAuth governance. Monitor for phishing and prepare compliance notifications if needed.\n    <\/div>\n  <\/div>\n<\/div>\n\n<script>\n  document.querySelectorAll('.faq-question').forEach(question => {\n    question.addEventListener('click', () => {\n      const item = question.parentElement;\n      const answer = question.nextElementSibling;\n      item.classList.toggle('active');\n\n      if (answer.style.display === 'block') {\n        answer.style.display = 'none';\n      } else {\n        document.querySelectorAll('.faq-answer').forEach(ans => ans.style.display = 'none');\n        document.querySelectorAll('.faq-item').forEach(it => it.classList.remove('active'));\n        item.classList.add('active');\n        answer.style.display = 'block';\n      }\n    });\n  });\n<\/script>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Closing_Thoughts\"><\/span>Closing Thoughts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The <strong>Zscaler data breach<\/strong> didn\u2019t compromise firewalls or VPN concentrators. It compromised trust, trust in the SaaS integrations businesses approve without much scrutiny. That\u2019s where the real risk lies today.<\/p>\n\n\n\n<p>If you run Salesforce, Workspace, or any other SaaS with third-party apps, treat this as your warning. Audit those tokens. Rotate them. Watch the logs. And don\u2019t paste secrets into tickets.<\/p>\n\n\n\n<p>Zscaler will move past this, but the breach leaves a clear message: SaaS integrations are part of your attack surface, whether you see them or not. Pair stronger SaaS governance with VPN encryption to keep both compliance and security intact.<\/p>\n\n\n\n<p>For MSPs and resellers, the opportunity is obvious. With <strong>PureVPN White Label<\/strong>, you can help customers close the last mile of risk, protecting their data in transit while you grow your recurring revenue.<\/p>\n\n\n\n<div class=\"wp-block-buttons text-center is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-2 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-text-color has-background has-link-color wp-element-button\" href=\"http:\/\/purevpn.com\/white-label\/\" style=\"color:#fdfafa;background-color:#b15aff\" target=\"_blank\" rel=\"noreferrer noopener\">Join PureVPN's White Label Program<\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:52px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What happened in the Zscaler data breach?\",\"acceptedAnswer\":[{\"@type\":\"Answer\",\"text\":\"Attackers stole OAuth tokens from the Drift integration, which gave them access to Zscaler\u2019s Salesforce instance. They exposed customer contact info and some support case text, but Zscaler\u2019s products and infrastructure were not compromised.\"}]},{\"@type\":\"Question\",\"name\":\"What kind of data was exposed?\",\"acceptedAnswer\":[{\"@type\":\"Answer\",\"text\":\"Names, emails, phone numbers, job titles, licensing details, and plain-text support case content. In some cases, that could include sensitive credentials pasted into tickets.\"}]},{\"@type\":\"Question\",\"name\":\"Was Google Workspace also compromised?\",\"acceptedAnswer\":[{\"@type\":\"Answer\",\"text\":\"No. Workspace itself was not breached. Only a small number of mailboxes integrated with Drift Email were accessed briefly on Aug 9.\"}]},{\"@type\":\"Question\",\"name\":\"Who is behind the breach?\",\"acceptedAnswer\":[{\"@type\":\"Answer\",\"text\":\"A group known as UNC6395 is attributed by Google Threat Intelligence. Another group, ShinyHunters, claimed responsibility, but evidence doesn\u2019t support their claim.\"}]},{\"@type\":\"Question\",\"name\":\"What should businesses do next?\",\"acceptedAnswer\":[{\"@type\":\"Answer\",\"text\":\"Audit and revoke Drift tokens, hunt Salesforce logs, rotate any exposed secrets, and strengthen OAuth governance. Monitor for phishing and prepare compliance notifications if needed.\"}]}]}<\/script><!-- Generated by https:\/\/www.searchlogistics.com -->\n\n\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Not all breaches happen with firewalls falling or servers being popped. Some happen in quieter ways through the integrations that businesses use every day to keep operations smooth. In August 2025, Zscaler confirmed that it had been impacted by exactly this type of attack. The Zscaler data breach was not about its Zero Trust Exchange&#8230;<\/p>\n","protected":false},"author":3,"featured_media":3978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[540],"tags":[196,670],"class_list":["post-3974","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-breach","tag-salesforce","tag-zscaler-data-breach"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zscaler Data Breach: What Exactly Happened?<\/title>\n<meta name=\"description\" content=\"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zscaler Data Breach: What Exactly Happened?\" \/>\n<meta property=\"og:description\" content=\"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"PureVPN White label\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-02T12:37:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-02T13:03:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png\" \/>\n\t<meta property=\"og:image:width\" content=\"876\" \/>\n\t<meta property=\"og:image:height\" content=\"493\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"duresham\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"duresham\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\",\"url\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\",\"name\":\"Zscaler Data Breach: What Exactly Happened?\",\"isPartOf\":{\"@id\":\"https:\/\/www.purevpn.com\/white-label\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png\",\"datePublished\":\"2025-09-02T12:37:24+00:00\",\"dateModified\":\"2025-09-02T13:03:05+00:00\",\"author\":{\"@id\":\"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/d75943d96d9bdd3277bc60adaf00f44c\"},\"description\":\"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage\",\"url\":\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png\",\"contentUrl\":\"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png\",\"width\":876,\"height\":493,\"caption\":\"Illustration of hacker figure with Zscaler logo and shield symbolizing the Zscaler data breach, showing folders and security alert icons.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.purevpn.com\/white-label\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zscaler Data Breach: What Happened and What It Means for Businesses?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/#website\",\"url\":\"https:\/\/www.purevpn.com\/white-label\/\",\"name\":\"Purevpn White label\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.purevpn.com\/white-label\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/d75943d96d9bdd3277bc60adaf00f44c\",\"name\":\"duresham\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/676e150b24efe0726f53fef31f98d1da?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/676e150b24efe0726f53fef31f98d1da?s=96&d=mm&r=g\",\"caption\":\"duresham\"},\"url\":\"https:\/\/www.purevpn.com\/white-label\/author\/duresham\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zscaler Data Breach: What Exactly Happened?","description":"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/","og_locale":"en_US","og_type":"article","og_title":"Zscaler Data Breach: What Exactly Happened?","og_description":"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.","og_url":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/","og_site_name":"PureVPN White label","article_published_time":"2025-09-02T12:37:24+00:00","article_modified_time":"2025-09-02T13:03:05+00:00","og_image":[{"width":876,"height":493,"url":"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png","type":"image\/png"}],"author":"duresham","twitter_card":"summary_large_image","twitter_misc":{"Written by":"duresham","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/","url":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/","name":"Zscaler Data Breach: What Exactly Happened?","isPartOf":{"@id":"https:\/\/www.purevpn.com\/white-label\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage"},"image":{"@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage"},"thumbnailUrl":"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png","datePublished":"2025-09-02T12:37:24+00:00","dateModified":"2025-09-02T13:03:05+00:00","author":{"@id":"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/d75943d96d9bdd3277bc60adaf00f44c"},"description":"Discover the full story of the Zscaler data breach, what exactly happened, and how businesses can strengthen security to avoid similar risks.","breadcrumb":{"@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#primaryimage","url":"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png","contentUrl":"https:\/\/d1jxermyrliwoo.cloudfront.net\/wp-content\/uploads\/2025\/09\/02123435\/Copy-of-Port-Forwarding-2025-09-02T170952.813.png","width":876,"height":493,"caption":"Illustration of hacker figure with Zscaler logo and shield symbolizing the Zscaler data breach, showing folders and security alert icons."},{"@type":"BreadcrumbList","@id":"https:\/\/www.purevpn.com\/white-label\/zscaler-data-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.purevpn.com\/white-label\/"},{"@type":"ListItem","position":2,"name":"Zscaler Data Breach: What Happened and What It Means for Businesses?"}]},{"@type":"WebSite","@id":"https:\/\/www.purevpn.com\/white-label\/#website","url":"https:\/\/www.purevpn.com\/white-label\/","name":"Purevpn White label","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.purevpn.com\/white-label\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/d75943d96d9bdd3277bc60adaf00f44c","name":"duresham","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.purevpn.com\/white-label\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/676e150b24efe0726f53fef31f98d1da?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/676e150b24efe0726f53fef31f98d1da?s=96&d=mm&r=g","caption":"duresham"},"url":"https:\/\/www.purevpn.com\/white-label\/author\/duresham\/"}]}},"_links":{"self":[{"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/posts\/3974","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/comments?post=3974"}],"version-history":[{"count":5,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/posts\/3974\/revisions"}],"predecessor-version":[{"id":3987,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/posts\/3974\/revisions\/3987"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/media\/3978"}],"wp:attachment":[{"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/media?parent=3974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/categories?post=3974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.purevpn.com\/white-label\/wp-json\/wp\/v2\/tags?post=3974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}