Zscaler takes “test environment” offline after rumors of a breach
Update 5/8/24: Out original article was updated to include new information about a breached “test” environment.
Zscaler says that they discovered an exposed “test environment” that was taken offline for analysis after rumors circulated that a threat actor was selling access to the company’s systems.
In a Wednesday afternoon post, Zscaler initially stated that its ongoing investigation showed no evidence that its customer or production environments were breached.
“Zscaler’s priority is our customer and production environment and we have not discovered any evidence of incident or compromise to these environments. We are continuing our investigation and closely monitoring the situation,” reads a post on Zscaler’s Trust site.
A Zscaler employee also shared on Mastodon that the company investigated the rumors and that they are “completely inaccurate and unfounded.”
However, in an evening update, Zscaler confirmed that they discovered an “isolated test environment” exposed to the internet, which they took offline for forensic analysis.
“Our investigation discovered an isolated test environment on a single server (without any customer data) which was exposed to the internet,” confirmed Zscaler in an evening update.
“The test environment was not hosted on Zscaler infrastructure and had no connectivity to Zscaler’s environments. The test environment was taken offline for forensic analysis.”
Zscaler says that no company, customer, or production environments were impacted by the incident.
The rumors started after a well-known threat actor named IntelBroker began selling what they claim is access to a cybersecurity company with a revenue of $1.8 billion.
This access allegedly includes “Confidential and highly critical logs packed with credentials, SMTP Access, PAuth Pointer Auth Access, SSL Passkeys & SSL Certificates.”
While IntelBroker did not share the name of the company, a screenshot shared with BleepingComputer by digital forensics student James, shows the threat actor claiming it was Zscaler in the Breach Forums shoutbox.
Furthermore, as Zscaler is listed on ZoomInfo with a revenue of $1.8 billion, others tied the forum post to the company, stating they were the ones who were breached.
IntelBroker rose to notoriety after breaching DC Health Link, which led to a congressional hearing after the attack exposed the personal data of U.S. House of Representatives members and staff.
Since then, IntelBroker has been responsible for numerous other breaches, including ones on Acuity, Home Depot, and Weee!.
IntelBroker also claimed to have hacked Hewlett Packard Enterprise (HPE) in February, which the company initially denied but later told BleepingComputer that a test environment was breached.
BleepingComputer contacted Zscaler to learn more about their investigation and these claims but did not receive a response by the time of publication.