Cybersecurity firm Zscaler has revealed it suffered a data breach after attackers exploited a compromise in Salesloft Drift, an AI-driven Salesforce integration tool. The incident is part of a larger supply-chain attack in which stolen OAuth and refresh tokens were leveraged to gain unauthorized access to Salesforce environments across multiple organizations.
Zscaler confirmed that its Salesforce instance was one of the targets, resulting in the exposure of sensitive customer details.
According to the company, the information accessed by threat actors included customer names, job titles, business email addresses, phone numbers, and geographic details. In addition, data related to Zscaler product licensing, commercial agreements, and content from certain support cases was also stolen.
While Zscaler has not disclosed the number of affected customers, it emphasized that the breach was limited to its Salesforce system and did not compromise any of its products, services, or underlying infrastructure.
The company stated that the unauthorized data access primarily took place between August 13 and 16, 2025, with some attempts occurring earlier. Although Zscaler has not detected any misuse of the stolen data, it has urged its customers to remain cautious of phishing emails and social engineering campaigns that could exploit the compromised information.
In response to the incident, Zscaler has taken several steps to mitigate risks, including revoking all Salesloft Drift integrations with Salesforce, rotating API tokens across its systems, and implementing stricter customer authentication protocols when handling support requests.
An internal investigation into the full scope of the breach is ongoing.
The attack has been linked to a campaign attributed to the threat group UNC6395, which was previously flagged by Google Threat Intelligence. This group is believed to have targeted Salesforce support cases to collect highly sensitive credentials such as AWS access keys, passwords, and Snowflake tokens.
Google researchers also noted that the attackers attempted to cover their tracks by deleting query jobs, although audit logs remained available for review.
The compromise of Salesloft Drift has had wide-reaching consequences across the SaaS ecosystem, impacting companies including Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries.
In many of these cases, attackers used vishing tactics to trick employees into authorizing malicious OAuth applications, enabling large-scale data theft later exploited in extortion schemes.
Both Google and Salesforce have since suspended their Drift integrations while investigations continue. Security experts warn that this incident highlights the growing risks of supply-chain attacks and the urgent need for stronger oversight of third-party integrations.
