Excerpt from Bleeping Computer Article, Published on September 1, 2025
Zscaler, a global cybersecurity leader, has confirmed a recent data breach after attackers exploited vulnerabilities in the Salesloft Drift integration with Salesforce, resulting in unauthorized access to customer information. This incident has raised concerns across the industry, spotlighting the risks posed by supply-chain attacks and highlighting the importance of robust digital security.
As reported by Zscaler, the breach was limited to its Salesforce instance and impacted only specific customer data—names, business email addresses, job titles, phone numbers, regional details, and Zscaler product licensing information were exposed. Additionally, certain customer support case contents fell victim to the attack. Zscaler reassured clients that no core products, services, or infrastructure were compromised, and the company swiftly revoked all Salesloft Drift integrations, rotated API tokens, and enacted enhanced authentication measures for future customer interactions.
The threat actors leveraged stolen OAuth and refresh tokens from Salesloft Drift, targeting authenticated environments in Salesforce to exfiltrate sensitive data. This campaign was flagged last week by Google Threat Intelligence, attributing activity to UNC6395. The attackers focused on harvesting support case data, particularly authentication tokens, passwords, and cloud access keys, demonstrating sharp operational security practices by deleting query jobs, though log files remained intact.
Security experts believe the breach may overlap with attacks led by cybercrime group ShinyHunters, known for social engineering and OAuth exploitation. The attackers used voice phishing (vishing) tactics convincing employees to install malicious OAuth apps, facilitating access to databases for extortion attempts. Affected organizations include Google, Cisco, and several global brands.
Zscaler recommends that customers stay vigilant for phishing and social engineering attacks now that some contact details have been exposed. The company has bolstered its customer authentication protocol and continues its forensic investigation to prevent further incidents.
To delve deeper into this topic, read the Bleeping Computer article.
