Zscaler said it suffered a data breach after unauthorized actors gained access to its Salesforce instance, a breach linked to the broader Salesloft Drift supply-chain compromise. The attackers allegedly stole OAuth and refresh tokens tied to Salesloft Drift, enabling access to customer Salesforce environments and the exfiltration of data. The company cited its advisory in confirming that the compromise affected its Salesforce information but did not extend to Zscaler products, services, or infrastructure.
The exposed data, outlined by Zscaler, includes customer names, business email addresses, job titles, phone numbers, and regional or location details, along with licensing and commercial information related to Zscaler products and content from certain customer support cases. Zscaler emphasized that the breach was confined to its Salesforce instance and did not compromise other systems.
In response to the incident, Zscaler said it has revoked all Salesloft Drift integrations to its Salesforce instance, rotated other API tokens, and launched a broader investigation. The company also noted that it has strengthened authentication protocols for customer support interactions to guard against social-engineering attempts tied to the exposed data. While no misuse of the information has been detected, Zscaler urged customers to remain vigilant against phishing and related attacks.
Industry observers have highlighted the role of Google Threat Intelligence in tracking the activity, with findings published by Google Cloud identifying UNC6395 as the actor behind the intrusions. The report notes that attackers used stolen OAuth tokens to access Google Workspace email accounts and other credentials as part of the same campaign, underscoring the broader risk landscape around Salesforce integrations and token-based access. Google and Salesforce have temporarily disabled Drift integrations pending further investigation.
Overall, the incident underscores the vulnerability of Salesforce environments to supply-chain compromises and the downstream risk to customer data accessed through connected services such as Drift. Investigators are continuing to assess the scope and impact, alongside actions to prevent future token theft and social-engineering exploits.