Data Breach Confirmation by Zscaler
In a recent revelation, cybersecurity firm Zscaler has acknowledged its involvement in a far-reaching supply-chain assault that has compromised customer contact data via breached Salesforce credentials associated with the marketing platform Salesloft Drift.
The breach was officially reported on August 31, 2025, and is a component of a grander initiative targeting OAuth tokens from Salesloft Drift, with repercussions for more than 700 organizations globally.
Zscaler has asserted that the incident was strictly contained within its Salesforce ecosystem and did not compromise any of its essential security offerings, services, or foundational infrastructure.
The security breach emanated from a sophisticated supply-chain attack perpetrated by the threat actor known as UNC6395, which has been under scrutiny by Google’s Threat Intelligence Group and Mandiant analysts since early August 2025.
Between August 8 and August 18, 2025, the attackers systematically compromised OAuth tokens linked to Salesloft Drift—a chat agent leveraging artificial intelligence for sales workflow automation integrated with Salesforce databases.
UNC6395 showcased sophisticated operational prowess by utilizing the stolen tokens for direct authentication into Salesforce customer accounts, entirely circumventing multi-factor authentication protocols. The assailants employed Python-based tools to automatically exfiltrate data across numerous targeted entities.
Details of Compromised Information at Zscaler
According to Zscaler’s official communication, the data that was compromised consisted primarily of readily available business contact information and Salesforce-specific content, which included:
- Names and business email addresses
- Job titles and phone numbers
- Regional and location details
- Zscaler product licensing and commercial information
- Plain text content from select support cases (excluding attachments, files, and images)
“Following a thorough investigation, Zscaler has not uncovered any evidence suggesting the misuse of this data,” the company stated. Nonetheless, the breach accentuates the inherent vulnerabilities associated with third-party integrations in contemporary Software as a Service (SaaS) settings.
This incident forms part of what security experts are labeling the largest SaaS breach campaign of 2025. The Google Threat Intelligence Group estimates that the expansive supply-chain attack has affected over 700 organizations.
Initially perceived as exclusively targeting Salesforce integrations, the breadth of the campaign broadened significantly following Google’s confirmation on August 28 that OAuth tokens related to Drift Email had also been compromised, granting attackers limited access to Google Workspace accounts.
The majority of the affected entities are technology and software companies, suggesting potential cascading supply-chain risks.
Zscaler took prompt action to mitigate the incident by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens as a precautionary measure. The firm has initiated a comprehensive investigation in collaboration with Salesforce and instituted additional safeguards to avert similar occurrences.
On August 20, 2025, both Salesloft and Salesforce took measures to revoke all active access and refresh tokens tied to the Drift application. Furthermore, Salesforce has temporarily removed the Drift application from its AppExchange marketplace while investigations continue.
This incident highlights critical vulnerabilities inherent in SaaS-to-SaaS integrations, which often elude conventional security mechanisms. Once OAuth tokens are compromised, they furnish persistent access without alerting authentication protocols or necessitating passwords.
While no signs of data misuse have surfaced, Zscaler advises its clients to exercise heightened caution against possible phishing attacks or social engineering exploits that may capitalize on the exposed contact details.
The company emphasizes that official Zscaler support will never solicit authentication information through unsolicited communications.
Organizations utilizing third-party SaaS integrations are prompted to conduct a meticulous review of all connected applications, revoke unnecessarily broad permissions, and institute continuous monitoring for unusual query activities or large-scale data extractions.
Source link: Cybersecuritynews.com.
