Zscaler disclosed it was impacted by the Salesloft Drift breach, where threat actors (UNC6395) exploited compromised OAuth tokens to gain unauthorized access to its Salesforce instance. The attackers exfiltrated customer information, including business contact details (names, email addresses, job titles, phone numbers, regional/location data) and Salesforce-related content such as plain-text support case details (excluding attachments, files, or images). Additionally, Zscaler product licensing and commercial information was accessed. While no evidence of misuse has been detected yet, the breach exposed sensitive corporate and client data, raising concerns over potential phishing, fraud, or targeted attacks leveraging the stolen information. Zscaler revoked Salesloft Drift’s access and rotated API tokens to mitigate further risk. The incident stems from a broader campaign where attackers abused Drift integrations to target multiple organizations via Salesforce.
Source: https://thehackernews.com/2025/08/google-warns-salesloft-oauth-breach.html
TPRM report: https://www.rankiteo.com/company/zscaler
"id": "zsc918090225",
"linkid": "zscaler",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Small number of Google '
'Workspace accounts (specific to '
'Drift integration)',
'industry': 'Cloud Services/Email',
'location': 'Global',
'name': 'Google (Google Workspace users with Drift '
'Email integration)',
'size': 'Large',
'type': 'Technology'},
{'customers_affected': 'Points of contact with business '
'details in Salesforce',
'industry': 'Cybersecurity',
'location': 'Global (HQ: San Jose, CA, USA)',
'name': 'Zscaler',
'size': 'Large',
'type': 'Public Company'},
{'customers_affected': 'All users of Salesloft Drift '
'integrations (potential token '
'compromise)',
'industry': 'Multiple (Sales/CRM users)',
'location': 'Global',
'name': 'Salesloft Drift Customers',
'size': 'Varies',
'type': 'B2B Organizations'}],
'attack_vector': ['Compromised OAuth Tokens',
'Third-Party Integration Exploitation (Salesloft Drift)'],
'customer_advisories': ['Review all third-party integrations connected to '
'Drift',
'Revoke and rotate credentials for Drift-linked '
'applications',
'Monitor for unauthorized access in connected '
'systems'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Text-based support case content'],
'sensitivity_of_data': 'Moderate (business-sensitive but no '
'PII like SSNs or payment info)',
'type_of_data_compromised': ['Business contact details',
'Salesforce support case content '
'(plain text, no attachments)',
'Product licensing/commercial '
'information']},
'date_detected': '2025-08-08',
'date_publicly_disclosed': '2025-09-02',
'description': 'Google revealed that attacks targeting Salesforce instances '
'via Salesloft Drift are broader than initially thought, '
'impacting all integrations. Threat actors (UNC6395) leveraged '
'compromised OAuth tokens to access Google Workspace email '
'accounts (August 9, 2025) and Salesforce instances (August '
'8–18, 2025). Zscaler confirmed its Salesforce instance was '
'breached, with customer data (e.g., names, emails, job '
'titles, support case content) stolen. Google and Salesforce '
'revoked tokens and disabled integrations; no evidence of '
'misuse yet, but investigations are ongoing.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of customer data and '
'third-party vulnerabilities',
'data_compromised': ['Business contact details (names, emails, job '
'titles, phone numbers, regional/location '
'details)',
'Salesforce content (Zscaler product '
'licensing/commercial info, plain-text '
'support case content)'],
'identity_theft_risk': 'Low (limited to business contact details)',
'operational_impact': ['Temporary disablement of Salesloft '
'integrations (Salesforce, Slack, Pardot)',
'Revocation/rotation of OAuth tokens and '
'API credentials'],
'systems_affected': ['Salesforce instances (via Drift integration)',
'Google Workspace email accounts (via Drift '
'Email integration)',
'Zscaler Salesforce instance']},
'initial_access_broker': {'entry_point': 'Compromised OAuth tokens for '
'Salesloft Drift integrations',
'high_value_targets': ['Salesforce instances',
'Google Workspace email '
'accounts']},
'investigation_status': 'Ongoing (as of September 2, 2025)',
'lessons_learned': ['Risks of third-party OAuth integrations as attack '
'vectors',
'Need for proactive token rotation and access reviews',
'Importance of isolating high-value integrations (e.g., '
'Salesforce, email)'],
'motivation': ['Data Theft', 'Opportunistic Access'],
'post_incident_analysis': {'root_causes': ['Insufficient protection of OAuth '
'tokens in Salesloft Drift',
'Lack of segmentation between '
'third-party integrations and core '
'systems (e.g., Salesforce)']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Audit and minimize third-party OAuth integrations',
'Implement stricter token expiration policies',
'Monitor for anomalous access patterns in connected apps',
'Segment critical systems (e.g., Salesforce) from less '
'secure integrations'],
'references': [{'date_accessed': '2025-09-02',
'source': 'Google Threat Intelligence Group (GTIG) and '
'Mandiant Advisory'},
{'date_accessed': '2025-09-02',
'source': 'Zscaler Breach Disclosure'},
{'date_accessed': '2025-08-18',
'source': 'Salesloft Statement on Integration Disablement'}],
'response': {'communication_strategy': ['Public advisories from Google, '
'Salesloft, and Zscaler',
'Direct notifications to impacted '
'users'],
'containment_measures': ['Revoked OAuth tokens for Drift Email '
'integration',
'Disabled Google Workspace–Salesloft '
'Drift integration',
'Salesforce temporarily disabled all '
'Salesloft integrations'],
'incident_response_plan_activated': True,
'remediation_measures': ['Advisory for customers to '
'revoke/rotate credentials for all '
'Drift-connected apps',
'Investigation of connected systems for '
'unauthorized access',
'Zscaler revoked Salesloft Drift’s '
'access to its Salesforce data'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(GTIG)',
'Mandiant']},
'stakeholder_advisories': ['Google: Revoke tokens, disable Drift '
'integrations, investigate systems',
'Salesloft: No evidence of malicious activity in '
'integrations (as of update)',
'Zscaler: No evidence of data misuse; rotated API '
'tokens'],
'threat_actor': 'UNC6395 (emerging activity cluster)',
'title': 'Widespread OAuth Token Compromise via Salesloft Drift Affecting '
'Salesforce, Google Workspace, and Zscaler',
'type': ['Data Breach', 'Unauthorized Access', 'OAuth Token Compromise'],
'vulnerability_exploited': 'Weakness in OAuth token security for Salesloft '
'Drift integrations'}