Zscaler has confirmed a data breach linked to the broader compromise of Salesloft Drift, exposing customer details stored within its Salesforce environment. While Zscaler’s products and infrastructure remain unaffected, the attack highlights how supply-chain compromises can cascade into enterprise systems and expose sensitive information.
How the Breach Originated from the Salesloft Drift Compromise
The incident stems from a recent attack on Salesloft Drift, an AI-powered chat agent integrated with Salesforce environments. Attackers stole OAuth and refresh tokens, allowing unauthorized access to customer Salesforce instances. Using these tokens, the threat actors exfiltrated data from Zscaler’s Salesforce environment.
Zscaler acknowledged the impact in its advisory:
“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.”
What Data was Exposed in the Zscaler Data Breach
The breach led to exposure of sensitive customer-related information. The compromised data includes:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional or location details
- Product licensing and commercial information
- Content from certain customer support cases
Zscaler emphasized that this breach was limited to its Salesforce instance and did not compromise its products, services, or infrastructure.
Zscaler’s Response and Mitigation Measures
To contain the incident, Zscaler revoked all Salesloft Drift integrations from its Salesforce instance and rotated API tokens. The company also enhanced authentication protocols for customer support interactions to reduce the risk of social engineering.
Zscaler reported no signs of misuse of the exposed data but advised customers to stay vigilant against phishing or other forms of targeted attacks that may leverage stolen details.
Threat Actor Activity and Google’s Findings
Google Threat Intelligence attributed the campaign to a group tracked as UNC6395. According to Google, the actors targeted Salesforce environments to steal credentials and authentication tokens.
Google’s report noted:
“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.”
The group’s tactics align with recent patterns of supply-chain intrusions and token theft campaigns aimed at exploiting enterprise support workflows.
Wider Impact of the Salesloft Drift Cyberattack
Further investigation revealed that the compromise extended beyond Salesforce integrations. Attackers also abused Drift Email, which manages email replies and marketing automation data. Google confirmed that stolen OAuth tokens were used to access Google Workspace accounts and read emails.
In response, both Google and Salesforce temporarily disabled their Drift integrations while investigations continue.
Possible Links to ShinyHunters Campaigns
Some researchers believe that the Salesloft Drift incident overlaps with recent Salesforce data theft attacks by the ShinyHunters extortion group. ShinyHunters has conducted social engineering campaigns against Salesforce instances since the beginning of the year.
Their tactics often involve vishing, or voice phishing, to trick employees into authorizing malicious OAuth applications linked to corporate Salesforce accounts. Once inside, attackers exfiltrate customer data and exploit it for extortion or resale on dark web marketplaces.
While Zscaler insists that no misuse has been detected, the incident underscores how supply-chain vulnerabilities and OAuth token theft can open pathways into trusted enterprise platforms like Salesforce.
Customer data — such as email addresses, job titles, and support case content — is highly valuable for phishing and social engineering campaigns, raising concerns across industries reliant on Salesforce integrations.
