Zscaler confirms Salesforce data breach linked to Salesloft Drift supply-chain attack

Cybersecurity company Zscaler has confirmed it suffered a data breach after attackers exploited stolen credentials from Salesloft Drift, an AI chat integration for Salesforce, to access its customer support data.

In an advisory, Zscaler said its Salesforce instance was compromised during a broader supply-chain attack that has impacted multiple organizations. The attackers gained access using OAuth and refresh tokens linked to Drift, enabling them to infiltrate Salesforce environments and exfiltrate sensitive information.

“As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler,” the company stated. “Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler’s Salesforce information.”

The exposed data includes names, business email addresses, job titles, phone numbers, regional details, product licensing information, commercial records, and content from certain support cases. Zscaler emphasized that the breach was limited to Salesforce and did not affect its products, services, or infrastructure.

While the company said it has seen no evidence of misuse, it urged customers to remain vigilant against phishing and social engineering attempts. As part of its response, Zscaler has revoked all Drift integrations, rotated API tokens, and strengthened authentication protocols for customer support interactions.

The incident comes just days after Google’s Threat Intelligence Group attributed the campaign to a threat actor tracked as UNC6395. According to Google, the attackers targeted sensitive credentials such as Amazon Web Services access keys, passwords, and Snowflake-related tokens by stealing them from customer support cases. The group also demonstrated operational awareness by deleting query jobs in Salesforce to cover its tracks.

Researchers have linked the attack to the ShinyHunters extortion group, which has carried out a wave of social engineering campaigns against Salesforce customers throughout 2025. These often involve voice phishing calls to trick employees into authorizing malicious OAuth applications, giving attackers a direct channel to steal databases.

Since June, the same campaign has been tied to breaches at several major companies, including Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. Both Google and Salesforce have disabled their Drift integrations until the investigation is complete.