Zscaler Confirms Data Breach After Salesloft Drift Supply-Chain Compromise

Cybersecurity firm Zscaler has disclosed a data breach after attackers accessed its Salesforce environment through compromised credentials from Salesloft Drift, an AI chat agent that integrates with Salesforce.

The breach stems from a wider supply-chain attack on Salesloft Drift in which threat actors stole OAuth and refresh tokens. These tokens granted unauthorized access to Salesforce customer instances, allowing sensitive information to be exfiltrated.

In its advisory, Zscaler confirmed its Salesforce instance was among those impacted:

“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler,” the company stated. “Following a detailed review, we determined these credentials allowed limited access to certain Salesforce data.”

The compromised data includes:

• Customer names
• Business email addresses
• Job titles
• Phone numbers
• Regional/location details
• Product licensing and commercial details
• Content from certain customer support cases

Zscaler emphasized that the breach only affected its Salesforce system—no Zscaler products, infrastructure, or services were compromised.

Although no misuse has been detected so far, the company urged customers to remain alert for phishing or social engineering attempts leveraging the exposed data.

• Revoked all Salesloft Drift integrations with Salesforce
• Rotated API tokens
• Enhanced customer authentication during support calls to reduce social engineering risks

Read Zscaler Advisory HERE

The company continues to investigate the incident.

Google Threat Intelligence recently attributed the Drift compromise to a group tracked as UNC6395, which has been stealing Salesforce support cases to harvest credentials, AWS access keys, Snowflake tokens, and other sensitive data.

According to Google, UNC6395 also displayed operational security tactics—such as deleting query jobs to obscure activity—though logs remained intact for forensic review.

The campaign extends beyond Drift’s Salesforce integration. Attackers also exploited Drift Email, gaining access to CRM and marketing automation data, and even used stolen OAuth tokens to infiltrate Google Workspace accounts to read corporate emails.

Both Google and Salesforce have since disabled Drift integrations while investigations continue.

Security researchers believe this incident overlaps with recent Salesforce data theft attacks by the ShinyHunters extortion group, which has been targeting organizations since early 2025.

These attackers have relied heavily on social engineering, including vishing (voice phishing), to trick employees into approving malicious OAuth apps connected to their Salesforce systems. Once linked, the attackers downloaded large datasets and used them for extortion.

Since June, breaches tied to this campaign have affected multiple major organizations, including Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.).

Read Google Threat Intelligence Group: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift HERE

To reduce the risk of SaaS supply chain compromises, prioritize the following practices:

• Enforce least privilege for service accounts. Maintain clear visibility into the exact data each identity can access.
• Scan for exposed secrets. Regularly check for AWS keys, tokens, and passwords stored in Salesforce schemas or data records.
• Control data access—not just APIs. Instead of relying solely on scope restrictions for Salesforce integrations, monitor and limit which Objects, Fields, and Records are accessible to accounts and apps.
• Correlate SaaS logs. Integrate logs from Salesforce, Okta, Google, and Microsoft to provide security teams with comprehensive visibility.
• Leverage behavioral analytics. Use UEBA to detect suspicious activity, even when access patterns appear normal.

Zscaler is an American cloud security company offering a Software-as-a-Service (SaaS) platform that provides secure internet and application access for businesses, primarily through a Zero Trust Exchange architecture. Their core services include Zscaler Internet Access (ZIA) for securing access to the internet and SaaS applications, and Zscaler Private Access (ZPA) for securely connecting users to internal applications, all without placing them on the network. By routing traffic through its global cloud network, Zscaler protects against malware, unauthorized access, and data loss, replacing traditional, less effective VPNs and firewalls with a cloud-native, zero-trust security model.