Zscaler Confirms Exposure in Salesloft-Linked Data Breach
Zscaler has confirmed that it is among the latest organizations to be impacted by a major supply chain attack exploiting the Salesloft Drift application, which integrates with Salesforce.
According to the company, attackers managed to steal OAuth tokens tied to the third-party app, giving them access to Zscaler’s Salesforce environment. The security vendor explained that the compromised data mainly consisted of business-related information rather than sensitive personal or financial records. Specifically, the exposed details included names, work email addresses, job titles, phone numbers, location data, licensing and commercial details relating to Zscaler products, as well as plain-text content from certain customer support cases. However, Zscaler emphasized that no attachments, files, or images were accessed in the incident.
Upon detecting the unauthorized activity, the company acted quickly by revoking the Drift app’s access and rotating other API tokens as a precaution. In addition, it claimed to have put in place new safeguards and strengthened protocols to reduce the likelihood of similar breaches in the future.
While Zscaler noted that the incident appeared limited in scope and said there is no evidence so far of any misuse of the exposed data, it urged customers to exercise extra caution. The company warned that malicious actors could exploit the stolen information for phishing campaigns or social engineering attacks, and therefore advised clients to be vigilant about unsolicited emails, calls, or requests for confidential information.
This breach is part of a wider campaign being tracked by security researchers as UNC6395, which is said to have compromised numerous Salesforce customer environments between August 8 and August 18. The attackers reportedly exfiltrated large volumes of customer data during that period, potentially affecting hundreds of organizations.
More recently, it has also been revealed that the same campaign targeted a limited number of Google Workspace accounts through Salesloft Drift integrations, further underlining the scope of the threat. Given the scale and operational sophistication demonstrated, some experts have speculated that a nation-state threat actor could be behind the attacks.
Zscaler’s disclosure follows similar admissions from other companies caught in the same campaign, highlighting the continuing risks posed by supply chain compromises in cloud-based business ecosystems.
