Redazione RHC : 2 September 2025 10:35
A large-scale cyberattack has targeted security firm Zscaler, which has officially confirmed it was the victim of a supply chain breach. This attack exposed customer contact data due to compromised Salesforce credentials linked to the Salesloft Drift marketing platform. The incident, made public on August 31, 2025, was the result of a larger campaign targeting Salesloft Drift OAuth tokens, involving over 700 organizations globally.
The breach is due to a broader supply chain attack on Salesloft Drift, in which threat actors stole OAuth and refresh tokens. These tokens granted unauthorized access to Salesforce customer instances, allowing the exfiltration of sensitive information. In its advisory, Zscaler confirmed that its Salesforce instance was among those affected.
“As part of this campaign, unauthorized individuals gained access to the Salesloft Drift credentials of its customers, including Zscaler,” the company said. “Following a detailed analysis, we determined that these credentials allowed limited access to certain Salesforce data.”
The information exposed is as follows:
Zscaler has stated that the data breach affected only its Salesforce system, thus ruling out any impact on Zscaler’s products, infrastructure, or services. While no cases of abuse have emerged to date, the company has recommended its customers remain vigilant for potential phishing or social engineering attempts that could exploit the leaked information.
Zscaler has implemented a series of mitigation measures to contain the incident: all Salesloft Drift integrations with Salesforce have been revoked, API tokens have been rotated to prevent future abuse, and, to reduce the risk of social engineering, advanced customer authentication has been introduced during support calls. The company also confirmed that the investigation into the incident remains ongoing to fully identify the extent of the compromise and ensure the full security of the integrations.
Google Threat Intelligence has attributed the Drift compromise to the UNC6395 group, responsible for stealing Salesforce support cases to collect credentials, AWS access keys, Snowflake tokens, and other sensitive data. According to researchers, the attackers demonstrated advanced operational security tactics, such as deleting query processes to hide their activities, although the logs remained available for forensic analysis. The campaign, however, wasn’t limited to the Drift–Salesforce integration: hackers also compromised Drift Email, gaining access to CRM and marketing automation data and leveraging stolen OAuth tokens to infiltrate Google Workspace accounts and read company emails.
Redazione