In a significant cybersecurity incident, Zscaler, a leading cloud security firm, has confirmed a data breach resulting from a sophisticated supply-chain attack. This breach, disclosed on August 31, 2025, exposed customer contact information through compromised Salesforce credentials linked to the marketing platform Salesloft Drift. The incident is part of a broader campaign that has impacted over 700 organizations worldwide.
The Breach and Its Mechanism
The attack was orchestrated by the threat actor group UNC6395, which has been under surveillance by Google’s Threat Intelligence Group and Mandiant researchers since early August 2025. Between August 8 and 18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases for sales workflow automation.
OAuth tokens are designed to facilitate seamless integration between applications by allowing delegated access without sharing passwords. However, in this case, the stolen tokens enabled attackers to authenticate directly into Salesforce customer instances, effectively bypassing multi-factor authentication (MFA). The threat actors employed Python tools to automate the data theft process across hundreds of targeted organizations, demonstrating advanced operational capabilities.
Information Compromised at Zscaler
According to Zscaler’s official statement, the compromised data was limited to commonly available business contact details and Salesforce-specific content, including:
– Names and business email addresses
– Job titles and phone numbers
– Regional and location details
– Zscaler product licensing and commercial information
– Plain text content from certain support cases (excluding attachments, files, and images)
Zscaler emphasized that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure. After extensive investigation, the company has found no evidence to suggest misuse of this information. However, the breach highlights the vulnerability of third-party integrations in modern Software as a Service (SaaS) environments.
Broader Implications and Industry Impact
The Zscaler incident is part of what security researchers are calling the largest SaaS breach campaign of 2025. Google’s Threat Intelligence Group estimates that over 700 organizations have been impacted by this supply-chain attack. Initially believed to target only Salesforce integrations, the campaign’s scope expanded significantly when Google confirmed on August 28 that OAuth tokens for Drift Email were also compromised, providing attackers with limited access to Google Workspace accounts. Most victims are technology and software companies, creating potential cascading supply-chain risks.
This incident underscores critical vulnerabilities in SaaS-to-SaaS integrations that often bypass traditional security controls. OAuth tokens, once compromised, provide persistent access without triggering authentication alerts or requiring passwords. The attack highlights the need for organizations to scrutinize third-party integrations and implement robust security measures to protect against such sophisticated supply-chain attacks.
Zscaler’s Response and Mitigation Measures
In response to the breach, Zscaler acted swiftly to contain the incident by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens as a precautionary measure. The company launched a comprehensive investigation in collaboration with Salesforce and implemented additional safeguards to prevent similar incidents in the future.
On August 20, 2025, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens associated with the Drift application. Salesforce also removed the Drift application from its AppExchange marketplace pending further investigation. These actions aim to mitigate the immediate threat and prevent further unauthorized access.
Recommendations for Organizations
While no evidence of data misuse has been found, Zscaler urges customers to maintain heightened vigilance against potential phishing attacks or social engineering attempts that could leverage the exposed contact details. The company emphasizes that official Zscaler support will never request authentication details through unsolicited communications.
Organizations using third-party SaaS integrations are advised to:
– Review all connected applications and revoke overly broad permissions.
– Implement continuous monitoring for unusual query activity or large-scale data exports.
– Regularly rotate API access tokens and OAuth credentials.
– Educate employees about the risks of phishing and social engineering attacks.
By taking these proactive measures, organizations can enhance their security posture and reduce the risk of similar supply-chain attacks in the future.
Conclusion
The Zscaler data breach serves as a stark reminder of the vulnerabilities inherent in interconnected software ecosystems. As cyber threats continue to evolve, it is imperative for organizations to adopt a comprehensive approach to cybersecurity, emphasizing the security of third-party integrations and the implementation of robust access controls. Through vigilance and proactive measures, the industry can work towards mitigating the risks associated with such sophisticated supply-chain attacks.
