The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Zscaler, a leading cloud security provider, suffered a significant data breach via a supply-chain attack targeting its Salesforce infrastructure. The breach originated from a compromised third-party platform, Salesloft Drift, where threat actors exploited OAuth permissions to gain unauthorized access. Sensitive customer data was exposed, including names, email addresses, phone numbers, and support case details—potentially enabling targeted phishing campaigns or follow-on attacks. While Zscaler confirmed the breach was isolated to its marketing-linked Salesforce environment and did not affect core production systems, the exposure of support interaction data raises risks of credential-based attacks and social engineering schemes. The incident highlights vulnerabilities in third-party SaaS integrations and underscores gaps in OAuth governance, prompting industry-wide scrutiny of supply-chain security practices. Zscaler revoked compromised credentials and engaged external incident response teams, but the breach has already eroded trust among clients and peers, with ripple effects across other cybersecurity firms targeted via the same Salesloft vector.

Zscaler disclosed it was impacted by the Salesloft Drift breach, where threat actors (UNC6395) exploited compromised OAuth tokens to gain unauthorized access to its Salesforce instance. The attackers exfiltrated customer information, including business contact details (names, email addresses, job titles, phone numbers, regional/location data) and Salesforce-related content such as plain-text support case details (excluding attachments, files, or images). Additionally, Zscaler product licensing and commercial information was accessed. While no evidence of misuse has been detected yet, the breach exposed sensitive corporate and client data, raising concerns over potential phishing, fraud, or targeted attacks leveraging the stolen information. Zscaler revoked Salesloft Drift’s access and rotated API tokens to mitigate further risk. The incident stems from a broader campaign where attackers abused Drift integrations to target multiple organizations via Salesforce.

Payouts King: A Sophisticated Ransomware Operation Emerges from BlackBasta’s Shadow A new ransomware group, Payouts King, has surfaced as a highly technical successor to the defunct BlackBasta operation, leveraging refined tactics from former affiliates while introducing advanced evasion techniques. First observed in April 2025 and gaining momentum in 2026, the group is believed to be operated by ex-BlackBasta initial access brokers, repurposing proven social-engineering methods and infrastructure. ### Origins and Tactics BlackBasta, a Conti-linked ransomware strain, rose to prominence in early 2022 before collapsing in early 2025 following a massive leak of internal chat logs. While the brand dissolved, its affiliates particularly initial access brokers migrated to other Ransomware-as-a-Service (RaaS) programs like Cactus, retaining their tactics, techniques, and procedures (TTPs). Zscaler ThreatLabz began tracking Payouts King in 2026, noting striking similarities to BlackBasta’s phishing lures, victim targeting, and infrastructure. ### Initial Access: Social Engineering at Scale Payouts King’s attacks begin with spam bombing, overwhelming victims with junk emails before deploying vishing (voice phishing). Attackers impersonate internal IT support, pressuring targets to join a Microsoft Teams session and launch Quick Assist a legitimate remote support tool under the guise of resolving email issues. Once access is granted, malware is deployed to establish persistence, move laterally, and prepare for encryption. This method mirrors BlackBasta’s 2024–2025 playbook, which similarly exploited Teams-based phishing and social engineering against executives. The reuse of these TTPs particularly the Teams + Quick Assist + phone pressure combination strongly suggests continuity with BlackBasta’s ecosystem. ### Technical Sophistication: Obfuscation and Evasion Payouts King employs multi-layered obfuscation to evade detection: - Stack-based string decryption and API hashing (via FNV1 with unique seeds) frustrate static analysis. - Custom CRC-like checksums obscure command-line arguments, which control encryption behavior (e.g., `-backup`, `-percent`, `-path`). - A hybrid encryption scheme combines 4,096-bit RSA with 256-bit AES-CTR, using statically linked OpenSSL libraries. - Selective encryption balances speed and impact: small files are fully encrypted, while large files undergo partial, block-based encryption (e.g., 13 blocks, half encrypted per file). - Anti-sandbox measures include an `-i` flag requiring a checksum match before execution. ### EDR Evasion and Ransomware Execution To bypass endpoint detection: - The malware avoids common MoveFile APIs, instead using SetFileInformationByHandle with FileRenameInfo to rename encrypted files. - It targets defensive processes by hashing running process names and comparing them against a list of 100+ AV/EDR checksums. - Critical system files and directories (e.g., OS folders, executables) are spared to maintain system stability and ransom leverage. - Progress-tracking headers in temporary files allow encryption to resume after interruptions. ### Impact and Indicators Payouts King’s emergence underscores the persistence of BlackBasta’s affiliate network, now operating under a rebranded, technically hardened threat. Organizations face heightened risks from spam bombing, vishing, and Quick Assist abuse, requiring stricter verification for remote support requests. Key Indicators of Compromise (IOCs): - SHA256: `335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4` - SHA256: `d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2`

Vercel Breach Exposes Customer Credentials via Third-Party AI Tool Cloud hosting platform Vercel recently disclosed a security breach stemming from a compromised third-party AI tool. The incident, which occurred after an employee connected a Google Workspace OAuth app developed by Context AI to their corporate account, allowed threat actors to access internal systems. Vercel confirmed that a "limited subset of customers" had credentials exposed, though the company stated that those not contacted were unaffected. The breach did not impact Vercel’s popular open-source projects, including Next.js and Turbopack, but the hacker claiming responsibility under the alias "ShinyHunters" allegedly gained access to employee accounts, API keys (including NPM and GitHub tokens), and source code. The stolen data is reportedly being sold on hacking forums. The attack highlights the growing risk of supply chain compromises targeting developer tools and third-party integrations. Vercel has since implemented additional security measures and monitoring to mitigate further exposure. While the company has not verified all of the hacker’s claims, the incident underscores the increasing sophistication of attacks leveraging OAuth-based applications.

The Great SaaS Breach of 2025: How a Single OAuth Token Compromised 700+ Organizations A new report from Grip Security reveals alarming trends in SaaS security, analyzing 23,000 SaaS environments and uncovering critical vulnerabilities. Every company examined operates AI-embedded SaaS applications, with a 490% year-over-year surge in public SaaS attacks. 80% of incidents involve PII or customer data, but the most concerning finding is the average organization’s exposure to 140 AI-enabled SaaS environments each a potential vector for cascading breaches. The Salesloft Drift incident, dubbed the "Great SaaS Breach of 2025," exemplifies this risk. UNC6395 attackers compromised Salesloft’s GitHub repositories, then pivoted to Drift’s AWS environment, stealing OAuth and refresh tokens used by customers to connect the Drift Chatbot to Salesforce, Slack, and other apps. With a legitimate OAuth token, the attackers impersonated Drift, breaching Salesforce installations across 700+ organizations, including Cloudflare, Palo Alto Networks, Zscaler, and CyberArk. The attack exploited shadow AI AI embedded in SaaS apps without formal oversight where businesses unknowingly adopt agentic AI for efficiency, often without auditing security implications. OAuth tokens, treated as routine access credentials, became the weak link. Once stolen (often via infostealers), they granted attackers unhindered access, enabling them to cascade through connected systems via IdentityMesh a unified authentication flaw that links multiple AI environments. The report warns that 2026 could see even larger breaches, as autonomous workflows outpace security controls. While regulations are emerging, they remain fragmented, conflicting, and unevenly enforced. The solution, according to Grip, lies in dynamic governance: replacing static approvals with continuous oversight, discovery, and risk-based controls to treat AI as a managed third-party risk. The incident underscores that AI is not a future threat but a present one, reshaping business risk and without proactive measures, the blast radius of a single breach will only grow.