Cybersecurity company Zscaler has confirmed it fell victim to a widespread supply-chain attack that exposed customer contact information through compromised Salesforce credentials linked to marketing platform Salesloft Drift.
The breach, disclosed on August 31, 2025, stems from a larger campaign targeting Salesloft Drift’s OAuth tokens that has impacted over 700 organizations worldwide.
Zscaler emphasized that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure.
The security incident originated from a sophisticated supply-chain attack orchestrated by threat actor UNC6395, which Google Threat Intelligence Group and Mandiant researchers have been tracking since early August 2025.
Between August 8-18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases for sales workflow automation.
UNC6395 demonstrated advanced operational capabilities by using these stolen tokens to authenticate directly into Salesforce customer instances, bypassing multi-factor authentication entirely. The threat actors employed Python tools to automate the data theft process across hundreds of targeted organizations.
Information Compromised at Zscaler
According to Zscaler’s official statement, the compromised data was limited to commonly available business contact details and Salesforce-specific content, including:
- Names and business email addresses
- Job titles and phone numbers
- Regional and location details
- Zscaler product licensing and commercial information
- Plain text content from certain support cases (excluding attachments, files, and images)
“After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information,” the company stated. However, the breach highlights the vulnerability of third-party integrations in modern SaaS environments.
The Zscaler incident represents just one piece of what security researchers are calling the largest SaaS breach campaign of 2025. Google’s Threat Intelligence Group estimates that over 700 organizations have been impacted by this supply-chain attack.
Initially believed to target only Salesforce integrations, the campaign’s scope expanded significantly when Google confirmed on August 28 that OAuth tokens for Drift Email were also compromised, providing attackers with limited access to Google Workspace accounts. Most victims are technology and software companies, creating potential cascading supply-chain risks.
Zscaler acted swiftly to contain the incident by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens as a precautionary measure. The company launched a comprehensive investigation in collaboration with Salesforce and implemented additional safeguards to prevent similar incidents.
On August 20, 2025, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens associated with the Drift application. Salesforce also removed the Drift application from its AppExchange marketplace pending further investigation.
This incident underscores critical vulnerabilities in SaaS-to-SaaS integrations that often bypass traditional security controls. OAuth tokens, once compromised, provide persistent access without triggering authentication alerts or requiring passwords.
While no evidence of data misuse has been found, Zscaler urges customers to maintain heightened vigilance against potential phishing attacks or social engineering attempts that could leverage the exposed contact details. The company emphasizes that official Zscaler support will never request authentication details through unsolicited communications.
Organizations using third-party SaaS integrations are advised to review all connected applications, revoke overly broad permissions, and implement continuous monitoring for unusual query activity or large-scale data exports.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
