Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Zscaler Breach Unpacked: Hype vs. Hard Evidence – Who Really Did It?
Posted on: 02 Sep 2025 | Author: Foresiet
The recent Zscaler breach has sparked significant attention in the cybersecurity community not just because of its impact, but also because of the complexity of the attack and the multiple claims of responsibility surrounding it. Here’s a breakdown of what happened, who’s claiming involvement, and what we can learn from the incident.
How the Breach Happened
This was not a direct hack of Zscaler’s core systems. Instead, it was a supply chain attack that exploited a third-party integration:
- Compromise of Salesloft Drift – Attackers breached the AI-powered chat platform Salesloft Drift and stole OAuth tokens. These tokens act as digital keys, allowing persistent access without requiring credentials.
- Access to Zscaler’s Salesforce Instance – With the stolen tokens, the attackers bypassed authentication and gained “limited, persistent access” to Zscaler’s Salesforce environment. This was possible because OAuth tokens often don’t expire quickly and can provide long-term access.
- Data Exfiltration – The attackers executed targeted SOQL queries against Salesforce objects like Accounts, Users, Cases, and Opportunities. Data stolen included:
- Customer names
- Business email addresses
- Job titles and phone numbers
- Licensing and commercial details
- Plain-text content of some support cases (potentially containing sensitive info like API keys)
The attackers attempted to delete their tracks, but forensic logs remained intact, enabling Zscaler to reconstruct the timeline.
Key Differences Between the Groups
- LAPSUS$ (often inactive): Previously targeted major companies like Okta and Microsoft using social engineering and insider recruitment. The group has been largely dormant after a series of arrests.
- ShinyHunters (active): A notorious group active since 2020, known for data theft and extortion. They specialize in selling large datasets on underground forums. While they have been linked to Salesforce-related data in the past, their usual method is bulk data resale, which does not match the tactics observed in this breach.
- Scattered Spider (active): A financially motivated group infamous for SIM-swapping and advanced social engineering attacks, often targeting employees to gain initial access.
These distinctions are important. None of these groups have provided samples or technical evidence tied to the Zscaler incident. The tactics seen here—OAuth abuse, selective queries, and cleanup attempts—suggest a focused and disciplined actor, but attribution remains uncertain.
Who’s Behind the Attack?
Attribution in this case remains uncertain.
- UNC6395 – One line of analysis points toward a threat group known as UNC6395, which specializes in targeting SaaS environments. Their hallmark is credential harvesting through OAuth token abuse, allowing them to gain persistent access without relying on traditional logins. The tactics observed here — stealing OAuth tokens, running targeted Salesforce SOQL queries, and attempting to delete evidence of their activity — are consistent with UNC6395’s known operations.
- Scattered Spider Claim on Telegram – Shortly after the breach went public, a Telegram channel calling itself Scattered Lapsus$ Hunter 5.0 posted messages like “ZSCALER WE OWN THIS” and “RAISE UR HAND IF WE SHOULD LEAK THE DB.” These posts suggest an attempt to take credit, but so far the group has not provided proof or data samples to support the claim. Screenshots of these Telegram posts could be included here for context.


- ShinyHunters – ShinyHunters has a history of selling Salesforce-related data, but their usual method is bulk data resale, not the kind of credential-focused attack seen here. The tactics in this breach don’t align with ShinyHunters’ playbook, making them an unlikely suspect.
At this stage, there is no verified evidence that confirms which group was truly responsible. Public claims may have been made to generate attention, but without proof, they cannot be taken as confirmation.
Zscaler’s Response
Zscaler acted quickly to contain the threat and protect customers:
- Revoked all compromised tokens and cut off Drift’s Salesforce access.
- Implemented MFA protocols for customer support interactions.
- Increased monitoring of third-party integrations.
- Confirmed that core infrastructure and products were not impacted.
To date, there is no evidence of misuse of the stolen data.
Lessons Learned
This breach serves as a major wake-up call about the risks of cloud integrations:
- OAuth Token Risks – Non-human identities like tokens can be a bigger risk than human accounts because they are often forgotten but hold powerful, persistent access.
- Least Privilege – Third-party integrations must be granted only the minimum required permissions.
- SaaS Monitoring – Security teams need robust logging, anomaly detection, and alerts for unusual activity in platforms like Salesforce, Google Workspace, and Microsoft 365.
- Data Hygiene – Support tickets and CRM entries should never contain plaintext credentials or secrets.
Conclusion
The Zscaler breach is not just another data leak—it’s a reminder that the modern attack surface includes every SaaS integration and every third-party app tied into your workflows. While attribution debates continue (UNC6395 vs. Scattered Spider claims), the technical lessons are clear: organizations must treat third-party cloud connections as part of their critical security perimeter.
Key Takeaway: Supply chain attacks are on the rise, and OAuth tokens are becoming one of the most valuable targets for attackers. Vigilance, monitoring, and strict access control are the only ways forward.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.
One Response