Zscaler, Palo Alto Networks, and SpyCloud are among the companies impacted by the Salesloft data breach.

In the wake of a recent breach at Salesloft, attributed to a group identified by Google as UNC6395, several companies, including Zscaler, Palo Alto Networks, PagerDuty, Tanium, and SpyCloud, confirmed that their Salesforce instances were accessed. The attackers had limited access to Salesforce databases, without breaching other systems or resources. However, the stolen customer data poses a significant risk, as it could be exploited for convincing phishing and social engineering attacks. Salesloft, known for its popular sales engagement platform, reported that from August 8 to August 18, 2025, attackers used compromised OAuth credentials to exfiltrate data from the Salesforce instances of customers using the Drift-Salesforce integration.

Following the breach, the Google Threat Intelligence Group (GTIG) confirmed that the compromise extended to other integrations, including the Drift Email application. On August 9, 2025, a threat actor accessed emails from a small number of Google Workspace accounts using compromised OAuth tokens. Security researchers from Astrix and WideField observed suspicious activity, indicating that attackers were rifling through Salesforce databases and Gmail accounts. Over 700 companies were impacted by this breach, with attackers primarily searching for AWS access keys, passwords, and Snowflake-related access tokens. Salesloft has engaged cybersecurity experts from Mandiant and Coalition to investigate the incident and has advised Drift customers managing their own API key connections to revoke existing keys and reconnect with new ones. 

Categories: Data Breach, Cybersecurity Threats, OAuth Vulnerabilities 

Tags: Salesloft, Breach, OAuth, Salesforce, Drift, Phishing, Cybersecurity, Exfiltrate, Integration, Access