Zscaler disclosed a security breach after attackers accessed its Salesforce environment through stolen OAuth and refresh tokens from Salesloft Drift, an AI chat tool integrated with Salesforce. The compromised credentials allowed limited access to Zscaler’s Salesforce data, exposing customer details such as names, emails, job titles, phone numbers, regional information, licensing details, and certain support case content. The company emphasized that the incident only affected Salesforce records and did not impact its products, services, or infrastructure.
Although Zscaler has not found evidence of misuse, it warned customers about potential phishing and social engineering attempts using the stolen data. In response, Zscaler revoked all Drift integrations, rotated API tokens, and tightened customer authentication procedures. Google Threat Intelligence attributed the broader campaign to the group UNC6395, which has been targeting Salesforce users to steal credentials, tokens, and sensitive information. Investigations revealed the compromise extended beyond Drift Salesforce integration to include Drift Email and even Google Workspace accounts.
Researchers believe this campaign may overlap with ShinyHunters’ recent Salesforce data theft operations, which have leveraged social engineering and vishing tactics to deploy malicious OAuth apps. Since June, several global companies, including Google, Cisco, Adidas, and LVMH brands, have been linked to these attacks.
