320/68 Wednesday, September 3, 2025
Cybersecurity firm Zscaler has issued a statement confirming a data breach after attackers gained access to the company’s Salesforce instance and stole customer information stored in support cases. The incident was linked to the compromise of Salesloft Drift, an AI chat agent integrated with Salesforce, which was exploited as a channel to steal OAuth and refresh tokens for unauthorized access to customer Salesforce environments.
According to Zscaler, the exposed data includes names, business emails, job titles, phone numbers, regional/location details, Zscaler product licensing and usage information, and portions of support case content. The company clarified that the breach was limited to its Salesforce instance and did not impact Zscaler’s core products, services, or infrastructure. While no evidence of misuse has been found so far, customers have been advised to stay vigilant against phishing and social engineering attacks that could leverage the leaked information. As part of its response, Zscaler has revoked all Drift integrations, rotated API tokens, and strengthened authentication processes for customer support interactions. Meanwhile, the Google Threat Intelligence Group (GTIG) attributed the incident to the threat actor UNC6395, known for targeting AWS access keys (AKIA), passwords, Snowflake access tokens, and other secrets, while deleting query jobs to evade detection. The breach also affected Drift Email, used for managing email and CRM databases, prompting Google and Salesforce to temporarily suspend Drift integrations to contain the damage.
Security researchers further noted that the campaign may be connected to the ShinyHunters group, which has previously targeted Salesforce using voice phishing (vishing) tactics to trick employees into connecting malicious OAuth apps to corporate Salesforce instances, enabling database theft and extortion. Since June 2025, several major global organizations have suffered similar attacks.
