Zscaler Confirms Data Breach: Hackers Compromise Salesforce Instance and Steal Customer Data

ByAdmin

Zscaler has confirmed that it was a victim of a significant supply-chain attack, which exposed customer contact information through compromised Salesforce credentials linked to the marketing platform Salesloft Drift. The breach, disclosed on August 31, 2025, is part of a larger campaign targeting Salesloft Drift’s OAuth tokens, affecting over 700 organisations globally. Zscaler emphasised that the incident was limited to its Salesforce environment and did not compromise any of its core security products, services, or underlying infrastructure. The attack was orchestrated by the threat actor UNC6395, which has been under surveillance by the Google Threat Intelligence Group and Mandiant researchers since early August 2025. Between August 8 and 18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent integrated with Salesforce for sales workflow automation.

The threat actors demonstrated advanced operational capabilities by using the stolen tokens to authenticate directly into Salesforce customer instances, bypassing multi-factor authentication entirely. They employed Python tools to automate the data theft process across hundreds of targeted organisations. According to Zscaler’s official statement, the compromised data was limited to commonly available business contact details and Salesforce-specific content, including names, business email addresses, job titles, phone numbers, regional and location details, Zscaler product licensing, and commercial information. The company found no evidence of misuse of this information following an extensive investigation. However, the breach underscores the vulnerabilities of third-party integrations in modern SaaS environments. Zscaler acted swiftly to contain the incident by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens as a precautionary measure. 

Categories: Supply-Chain Attack, Data Breach, Third-Party Vulnerabilities 

Tags: Zscaler, Cybersecurity, Supply-Chain Attack, Salesforce, Salesloft Drift, OAuth Tokens, Data Breach, Threat Actor, SaaS, Security Incident 

Leave a Reply

Your email address will not be published. Required fields are marked *