Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data

Cybersecurity

Zscaler, a cybersecurity company, has confirmed experiencing a supply-chain attack that exposed customer contact information. This breach was facilitated through compromised Salesforce credentials linked to the marketing platform Salesloft Drift.

The breach was disclosed on Thu, Aug 31, 2025, and is part of a broader campaign targeting Salesloft Drift’s OAuth tokens, affecting over 700 organizations globally.

Zscaler stated that the breach was restricted to its Salesforce environment and did not impact its core security products, services, or infrastructure.

Details of the Security Incident

The attack was orchestrated by the threat actor UNC6395, which has been under observation by Google Threat Intelligence Group and Mandiant researchers since early August 2025.

Between Thu, Aug 8, 2025, and Sun, Aug 18, 2025, attackers compromised OAuth tokens associated with Salesloft Drift, an AI-driven chat agent integrated with Salesforce databases for sales automation.

UNC6395 used these tokens to authenticate into Salesforce customer instances, bypassing multi-factor authentication. The attackers employed Python tools to automate data theft across numerous organizations.

Compromised Information at Zscaler

According to Zscaler, the compromised data included:

• Names and business email addresses
• Job titles and phone numbers
• Regional and location details
• Zscaler product licensing and commercial information
• Plain text content from certain support cases (excluding attachments, files, and images)

Zscaler has found no evidence of misuse of this information. However, the incident highlights vulnerabilities in third-party integrations within SaaS environments.

Response and Measures

Zscaler responded by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens. The company also conducted a comprehensive investigation with Salesforce and implemented additional safeguards.

On Tue, Aug 20, 2025, Salesloft and Salesforce revoked all active access and refresh tokens associated with the Drift application and removed it from the AppExchange marketplace.

Recommendations

Organizations using third-party SaaS integrations should review all connected applications, revoke overly broad permissions, and implement continuous monitoring for unusual activity.

Zscaler advises customers to watch for phishing attacks leveraging the exposed data, emphasizing that its support will not request authentication details through unsolicited communications.