Zscaler confirms data breach after hackers accessed its Salesforce environment through a compromised Salesloft Drift integration.
Quick Summary – TLDR:
- Hackers exploited a Salesloft Drift vulnerability to gain unauthorized access to Zscaler’s Salesforce data.
- Stolen data includes customer contact details, support case content, and licensing info.
- The breach is part of a wider campaign targeting multiple Salesforce customers using social engineering tactics.
- Zscaler, Google, and Salesforce have taken action to contain the breach and advise all users to rotate credentials.
What Happened?
Zscaler, a major cybersecurity company, has disclosed a data breach after attackers gained unauthorized access to its Salesforce instance through a compromised third-party integration with Salesloft Drift. This supply chain attack allowed limited access to customer support data and contact details, though Zscaler emphasized that its core infrastructure and services remain unaffected.
The incident is tied to a broader wave of attacks attributed to a threat group known as UNC6395, which has been systematically stealing OAuth tokens to breach corporate environments.
How the Attack Unfolded?
The breach originated from Salesloft Drift, an AI-driven marketing tool integrated with Salesforce. Threat actors exploited a vulnerability in Drift’s OAuth implementation, allowing them to steal authentication and refresh tokens.
These tokens were then used to access connected Salesforce environments, including Zscaler’s. While the access was limited, attackers managed to extract sensitive data including:
- Full names
- Business email addresses
- Job titles
- Phone numbers
- Geographic locations
- Zscaler product licensing and commercial details
- Content from specific support cases
Zscaler confirmed that no misuse of the stolen data has been detected so far. However, due to the nature of the breach, the company has urged its customers to remain alert for phishing and social engineering attempts.
📰 Zscaler Data Breach Exposes Customer Information After Salesloft Drift Compromise
— Dark Web Informer (@DarkWebInformer) September 1, 2025
The exposed information is said to include:
• Names
• Business email addresses
• Job titles
• Phone numbers
• Regional/location details
• Zscaler product licensing and commercial… pic.twitter.com/LhFMd2PkWS
A Widening Campaign Targeting the Salesforce Ecosystem
This incident is part of a much broader campaign targeting companies that integrate third-party apps like Drift with Salesforce. Google Threat Intelligence and Mandiant attributed the attacks to UNC6395, noting that the hackers were particularly focused on stealing credentials, such as:
- AWS access keys (AKIA)
- Passwords
- Snowflake-related tokens
Between August 8 and August 18, 2025, attackers exported large volumes of data from multiple corporate Salesforce instances. Although the hackers deleted query logs in an attempt to cover their tracks, organizations were advised to conduct thorough log reviews and credential rotations.
The attack did not stop at Salesforce. Google’s investigation revealed that the Drift Email integration was also compromised, allowing access to certain Google Workspace email accounts. Google has since revoked those tokens and suspended the Drift integration across its services.
Zscaler’s Response and Mitigation Efforts
In response to the breach, Zscaler took immediate action to minimize further risk:
- Revoked all Drift integrations from its Salesforce environment
- Rotated all API tokens connected to affected systems
- Strengthened customer support authentication protocols
- Launched a joint investigation with Salesforce
- Reviewed third-party vendor access policies
Google and Salesforce have also taken steps to contain the breach by temporarily disabling Drift integrations, notifying affected users, and pulling the app from Salesforce AppExchange.
Other Victims in the Campaign
Zscaler is not alone. The same campaign has affected dozens of other organizations, including big names like:
- Cisco
- Adidas
- Workday
- Farmers Insurance
- Qantas
- Allianz Life
- LVMH brands: Louis Vuitton, Dior, Tiffany & Co, Tiffany.
These attacks typically begin with voice phishing (vishing), where attackers convince employees to install malicious OAuth apps linked to their company’s Salesforce instance. Once inside, they exfiltrate sensitive data and use it for extortion.
SQ Magazine’s Takeaway
This is a textbook case of why even trusted third-party integrations can become dangerous entry points. As someone who values cybersecurity, it’s frustrating to see sophisticated vendors like Zscaler fall victim through no direct fault of their own. It goes to show that supply chain security is not optional anymore. I strongly recommend businesses tighten their OAuth controls, audit integrations frequently, and prepare for the reality that even read-only access can lead to serious data exposure.
