Summary:
Zscaler recently disclosed a data exposure incident related to a third-party application—Salesloft Drift, an AI-driven marketing tool integrated with Salesforce. This breach, which did not compromise Zscaler’s core infrastructure, offers an important reminder of the residual risks associated with supply chain and SaaS integrations. Below, we provide a detailed breakdown of the incident, highlight Zscaler’s response, and discuss strategic implications for CISOs managing complex digital ecosystems.

Context: The Supply Chain Breach Through Salesloft Drift

The original blog from Zscaler (source) outlines that the breach was the result of a compromise of OAuth and refresh tokens from Salesloft Drift, a third-party SaaS platform that integrates directly with Salesforce environments.

This access enabled threat actors—likely associated with UNC6395, according to Google Threat Intelligence—to harvest business contact data and support case content stored in Zscaler’s Salesforce instance.

Information Exposed:

The accessed data reportedly includes:

• Names and business email addresses
• Job titles and phone numbers
• Regional/location information
• Zscaler product licensing and commercial info
• Plain-text content from certain Salesforce support cases (no attachments or files)

Zscaler emphasizes that no breach occurred in its products, infrastructure, or internal systems—only the Salesforce layer was affected.

Zscaler’s Response: Rapid and Transparent

To its credit, Zscaler responded promptly with transparency and a layered response:

• Revoked Salesloft Drift’s access to Salesforce
• Rotated API tokens across its Salesforce instance
• Launched a formal investigation into the breach, involving Salesforce directly
• Tightened customer authentication for support interactions
• Initiated third-party risk assessments for other SaaS vendors

This is a case study in mature breach response: clear communication, fast containment, and forward-looking remediation.

CISO Insights: Key Takeaways

1. SaaS Integrations Are Part of Your Attack Surface

Even secure companies like Zscaler are exposed when third-party apps are granted persistent OAuth access to critical SaaS platforms like Salesforce. The convenience of AI-enabled workflows (e.g., Salesloft Drift) must be balanced with strict access review and token hygiene practices.

CISO Recommendation:
Conduct quarterly reviews of all active third-party integrations in core SaaS platforms (e.g., Salesforce, ServiceNow, Google Workspace). Use automated discovery tools where possible.

2. Support Cases Contain High-Risk Information

Plain-text fields in support tickets may include credentials, secrets, API keys, or internal system references—especially when shared by customers under pressure.

CISO Recommendation:
Educate both customers and internal support teams on secure ticket handling protocols. Filter or redact high-risk entries. Where feasible, encrypt ticket data at rest, even in SaaS platforms.

3. Zero Trust Must Include SaaS-to-SaaS Communications

This incident proves that zero trust cannot stop at identity or endpoint security. CISOs must consider application-level trust between SaaS components. OAuth token compromise enables lateral movement that bypasses traditional perimeter defenses.

CISO Recommendation:
Deploy SaaS security posture management (SSPM) tools. Enforce least privilege for token scopes and enforce expiration and refresh policies aggressively.

4. Incident Transparency Builds Trust

Zscaler’s public disclosure—despite no direct impact on its core systems—sets a strong example in security governance and trust-building. Many companies might have underplayed or obscured the breach due to reputational concerns.

CISO Reflection:
When planning incident communications, prioritize transparency and actionable information for customers. Silence or ambiguity erodes trust far more than admitting to a contained breach.

Next Steps for CISOs:

Immediate Actions:

• Audit all third-party Salesforce integrations
• Rotate stale or unused API/OAuth tokens
• Enable anomaly detection on Salesforce (and similar platforms)
• Review support case retention and classification practices

Strategic Long-Term Moves:

• Include SaaS vendors in your threat modeling and tabletop exercises
• Extend your vendor risk management framework to include token use and privilege analysis
• Push vendors to support fine-grained OAuth scopes and audit trails

Final Thought:

This is not just a Zscaler issue. It is a warning signal for the entire security community: the future of breach vectors will increasingly lie in SaaS-to-SaaS trust chains and token-based access that often fly under the radar of traditional SOC monitoring.

As CISOs, we must adapt our architecture, operations, and governance to this new reality.

Further Reading:
📖 Zscaler’s official incident report
📖 Google Threat Intelligence on UNC6395
📖 CISA Advisory: Risks of OAuth-based compromise