Cybersecurity company Zscaler has confirmed it fell victim to a widespread supply-chain attack that exposed customer contact information through compromised Salesforce credentials linked to marketing platform Salesloft Drift.
The breach, disclosed on August 31, 2025, stems from a larger campaign targeting Salesloft Drift’s OAuth tokens that has impacted over 700 organizations worldwide.
Zscaler emphasized that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure.
The security incident originated from a sophisticated supply-chain attack orchestrated by threat actor UNC6395, which Google Threat Intelligence Group and Mandiant researchers have been tracking since early August 2025.
Between August 8-18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases for sales workflow automation.
UNC6395 demonstrated advanced operational capabilities by using these stolen tokens to authenticate directly into Salesforce customer instances, bypassing multi-factor authentication entirely. The threat actors employed Python tools to automate the data theft process across hundreds of targeted organizations.
Source: Cybersecurity News