Zscaler Confirms Breach in Salesloft Drift Supply-Chain Attack

Zscaler, a leading name in cloud security, has confirmed a data breach after attackers exploited Salesloft Drift, a sales and marketing integration tied to Salesforce. Between August 8 and 18, the threat group UNC6395 stole OAuth tokens from Drift and used them to quietly access Salesforce data at more than 700 organizations worldwide.

In its disclosure, Zscaler admitted, “As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.” 

What Was Exposed, and Why It’s Risky

The company confirmed its core infrastructure and services were untouched. Zscaler noted, “After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information.” What the attackers actually accessed was:

• Business contact details (names, emails, phone numbers, job titles, regions)
• Licensing and commercial information tied to Zscaler products
• Plain-text notes from certain support cases (but no attachments or files)

The stolen data may not include passwords or financial information, but it does contain the kind of details attackers can turn into convincing phishing emails. For instance, a fake ‘Zscaler Support’ message referencing a real case ID. That makes targeted phishing the most immediate risk for customers and employees.

How the Attack Worked

OAuth tokens, meant to make app integrations seamless, became the weak link. Once stolen, these tokens bypassed MFA and acted like skeleton keys to Salesforce accounts. UNC6395 ran structured SOQL queries against Salesforce objects like Cases, Accounts, Users, and Opportunities, exfiltrated the data, and even deleted the query jobs to stay under the radar. 

Logs preserved the traces, but the attack was methodical and stealthy. Google confirmed the fallout extended beyond Salesforce. Drift Email integrations also leaked, giving attackers limited access to some Google Workspace accounts. This expanded the potential phishing surface as attackers could target both Salesforce users and Workspace users with insider-level accuracy.

Zscaler’s Response

Once the breach was detected, Zscaler took several steps to contain and mitigate:

• Cut off Drift’s access to its Salesforce environment
• Rotated all tokens and API keys
• Launched a joint investigation with Salesforce
• Applied stricter controls on all third-party integrations
• Tightened verification steps for its support teams to reduce the risk of phishing and social engineering

The Bigger Fallout

This wasn’t just Zscaler’s problem. Salesloft revoked all Drift OAuth tokens, pulled Drift from the Salesforce AppExchange, and engaged Mandiant to investigate. Google’s Threat Intelligence Group advised every Drift customer to treat all tokens as compromised.

Across the campaign, attackers didn’t just gather contacts. Reports confirm they also stole AWS access keys, Snowflake tokens, and passwords from some Salesforce instances. That pushes the incident from an “annoying breach” into potentially one of the largest SaaS supply-chain attacks of the year.

Why This Matters for Everyone

• Phishing risk is immediate. Exposed contact details + case notes = perfect bait for fake support emails.
• OAuth tokens are dangerous when stolen. They bypass MFA and stay valid until revoked.
• Third-party integrations expand the blast radius. Salesforce, Google Workspace, and other SaaS platforms were touched in one sweep.
• Attackers are patient. UNC6395 didn’t smash and grab; they queried, exfiltrated, and covered tracks with discipline.

Final Word

Zscaler’s core systems may be safe, but this breach proves that phishing doesn’t need passwords to succeed. With the right names, titles, and case histories, attackers can trick even cautious employees.

The lesson for enterprises is clear: audit every integration, rotate tokens regularly, and treat app-to-app trust with the same suspicion as external logins. The lesson for users is even simpler: don’t assume every “support” email is real, no matter how convincing it looks.