Zscaler Data Breach Exposes Business Contact Information After Hackers Exploited Salesforce-Linked Credentials in Major Cyberattack

Zscaler, a cybersecurity company, has stated that it was the victim of a global supply chain attack that disclosed client contact information. The breach was linked to compromised Salesforce credentials and the marketing platform Salesloft Drift.

The incident, which was officially disclosed on August 31, 2025, is part of a much broader campaign that has damaged over 700 companies globally. According to security researchers, the attackers targeted OAuth tokens (secure digital keys that allow apps to access certain account data without requiring your actual password) from Salesloft Drift between August 8 and 18, 2025, allowing them to directly access Salesforce accounts without triggering multi-factor authentication.

This large-scale attack has been linked to UNC6395, a threat group being investigated by Google's Threat Intelligence team and cyber security company Mandiant since early August.    

What Happened at Zscaler?

Zscaler confirmed that the attack was limited to its Salesforce environment. Importantly, the company emphasized that its core security products, services, and infrastructure were not affected.

The attackers were able to access certain business-related data stored in Salesforce. The exposed information included names, business email addresses, job titles, and phone numbers, along with regional and location details. In addition, some Zscaler product licensing and commercial information was compromised, as well as plain text from certain support cases, though this did not include any files, attachments, or images.

Zscaler stated that so far there is no evidence the stolen information has been misused. However, the breach highlights how third-party tools connected to widely used platforms like Salesforce can become weak points in cyber security defenses.

Response and Protective Measures

Once the issue was discovered, Zscaler quickly took steps to contain the breach by revoking Salesloft Drift’s access to its Salesforce data and rotating API tokens to block any unauthorized entry. The company also worked closely with Salesforce to carry out a thorough investigation and implemented additional safeguards to prevent similar incidents in the future. Meanwhile, on August 20, 2025, Salesloft and Salesforce revoked all active tokens linked to Drift and removed the Drift application from Salesforce’s AppExchange marketplace while the investigation continues.

Lessons for Businesses

This incident underscores the security gaps that can arise when different SaaS applications are interconnected. Since OAuth tokens allow smooth connectivity between applications, attackers can exploit them if stolen, bypassing passwords and alerts. Though no misuse has been found, customers are advised to stay cautious against phishing or scams.
Experts recommend that organizations regularly review connected third-party apps, revoke unnecessary permissions, and continuously monitor for unusual activities, including large-scale data exports, to strengthen protection.

Final Thoughts

The Zscaler case shows that even strong security companies face risks when third-party tools are breached. As reliance on SaaS grows, attackers are targeting these connections. Businesses must strengthen SaaS security by monitoring integrations, limiting access, and safeguarding every connected service to reduce future risks.

Information referenced in this article is from Cyber Security News