Zscaler breach tied to Salesloft Drift attack exposed Salesforce data, leaking customer info and support case details in a supply-chain compromise.
Zscaler discloses a data breach that is linked to the recent Salesloft Drift attack. The cybersecurity vendor confirmed it was affected by a campaign targeting Salesloft Drift, a marketing SaaS integrated with Salesforce. Threat actors stole OAuth tokens from the company, the incident impacted multiple Salesforce customers, including Zscaler. Attackers gained unauthorized access to Drift credentials, allowing limited visibility into some of Zscaler’s Salesforce information. The company pointed out that its products, services, and core infrastructure were not compromised.
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.” reads the advisory published by Zscaler. “After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information.”
The information exposed in the incident are the commonly available business contact details for points of contact and specific Salesforce related content, including: Names, Business email addresses, Job titles, Phone numbers, Regional/location details, Zscaler product licensing and commercial information, Content from certain support cases.
Zscaler confirmed it has revoked Drift’s Salesforce access, rotated API tokens, launched a joint investigation with Salesforce, added safeguards, reviewed third-party vendors, and reinforced customer support authentication to reduce phishing risks.
The company urges customers to remain vigilant against phishing attempts and social engineering attacks, despite limited impact and no misuse evidence.
Last week, Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some Google Workspace emails on August 9, 2025, via the Drift Email integration. Google stressed this was not a compromise of Workspace itself, and only accounts integrated with Salesloft were at risk, with no access to other customer accounts.
“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.” reads the update published by Google Threat Intelligence Group (GTIG).
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the “Drift Email” integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts. The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”
Google already notified impacted users and revoked Drift Email OAuth tokens, disabled its Workspace integration, and urged Salesloft Drift users to review integrations, rotate credentials, and check for breaches.
Last week, Google Threat Intelligence Group and Mandiant researchers announced that they investigated a large-scale data theft campaign aimed at hacking the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.
The experts discovered that the threat actor UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between Aug 8 and 18, 2025, to harvest credentials like AWS access keys (AKIA) and Snowflake tokens.
“Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.” reads the report published by the Google TIG group. “The actor systematically exported large volumes of data from numerous corporate Salesforce instances.”
UNC6395 stole Salesforce data, prompting GTIG to advise treating it as compromised and rotating credentials. The threat actor deleted query jobs to evade detection. Google urges log reviews, key revocation, and credential rotation to assess compromise.
Salesloft warned that hackers exploited OAuth credentials in the Drift app to steal Salesforce data (Cases, Accounts, Users, Opportunities). On August 20, 2025, it revoked all Drift–Salesforce connections, stressing that non-Salesforce users are unaffected. Admins are advised to re-authenticate Salesforce integrations, and impacted customers have been notified, though the full scale remains unclear.
“From August 8 to August 18, 2025, a threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances. All impacted customers have been notified.” reads the Drift/Salesforce Security Update published by Salesloft. “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration.”
Salesforce said only a small number of customers were affected due to a compromised app connection. Working with Salesloft, it revoked tokens, pulled Drift from AppExchange, and notified impacted users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Salesloft)