In late August 2025, Zscaler, like many organizations, was affected by a wide-reaching supply-chain attack that exploited the integration between Salesloft Drift—an AI-powered sales workflow application—and Salesforce.
What Was the Incident?
The attackers stole OAuth tokens associated with Salesloft Drift, a popular sales chat and workflow automation tool often used alongside Salesforce to manage leads and customer engagements. Using these stolen credentials, unauthorized actors accessed the Salesforce environments of multiple Salesloft Drift customers, including Zscaler.
Importantly, the breach was limited to our Salesforce instance. No Zscaler product systems, infrastructure, or cloud services were impacted at any time.
What Data Was Exposed?
The information accessed by the attackers included:
- Names, business email addresses, job titles, and phone numbers of business contacts
- Regional or location details
- Some Zscaler product licensing and commercial information
- Plain text contents of select Salesforce support cases (not including attachments or files)
We have found no evidence so far of the misuse of this information, but investigations remain ongoing.
Zscaler’s Mitigation and Response
From the moment we learned of the campaign, Zscaler immediately:
- Revoked Salesloft Drift’s access to our Salesforce environment
- Rotated all API tokens and credentials related to affected third-party integrations
- Initiated a comprehensive investigation with Salesforce and outside security parties
- Enhanced authentication for customer support to help mitigate possible phishing and social engineering stemming from the breach
- Strengthened internal third-party vendor reviews to improve overall SaaS security governance
Broader Context: An Industry-Wide Campaign
The threat behind this attack, identified as group UNC6395, used the compromised Salesloft Drift tokens to target a wide range of organizations by systematically extracting Salesforce data. The attackers were particularly interested in credentials for platforms like AWS and Snowflake, as well as sensitive corporate records.
Salesloft and Salesforce have since revoked affected connections, disabled Drift integrations, and advised all customers using Drift for Salesforce to rotate credentials and verify access controls.
What Should Customers Do?
We strongly recommend vigilance for phishing or social engineering attempts using exposed business contact details. Zscaler customers should be aware that no official communication will ever request sensitive credentials through unsolicited outreach. Any suspicious activity should be reported right away.
Commitment to Security
Zscaler remains committed to transparency and security for every customer. Our Customer Success and Security teams are ready to answer any questions or address concerns stemming from this event. We will continue to monitor the situation and provide updates as necessary.
