Supply-Chain Attack Hits Zscaler via Salesloft Drift, Leaking Customer Info

Zscaler has revealed that it was impacted by a recent supply-chain attack on Salesloft Drift, a marketing SaaS platform integrated with Salesforce. The cybersecurity vendor confirmed that it was affected by a campaign targeting Salesloft Drift, which resulted in the unauthorized access to its customer's credentials and limited visibility into their Salesforce information.

The attackers gained control of Salesloft Drift credentials, allowing them to access some of Zscaler's Salesforce information. However, Zscaler emphasized that its products, services, and core infrastructure were not compromised. "As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler," reads the advisory published by Zscaler. "Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler's Salesforce information."

According to Zscaler, the stolen data includes commonly available business contact details for points of contact and specific Salesforce-related content, such as names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, and content from certain support cases. Despite the limited impact, Zscaler has taken measures to protect its customers, including revoking Drift's Salesforce access, rotating API tokens, launching a joint investigation with Salesforce, adding safeguards, reviewing third-party vendors, and reinforcing customer support authentication.

Google has also been affected by this supply-chain attack on Salesloft Drift, and the company has disclosed that it was targeted along with Zscaler. The attackers used stolen OAuth tokens to access some Google Workspace emails via the Drift Email integration. However, Google stressed that this was not a compromise of Workspace itself, but only accounts integrated with Salesloft were at risk.

"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations," reads an update published by Google Threat Intelligence Group (GTIG). "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised."

Other experts, including GTIG and Mandiant researchers, have also investigated this incident. They discovered that a threat actor named UNC6395 stole OAuth tokens via Salesloft Drift, exfiltrating data from Salesforce between August 8 and August 18, 2025.

"Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application," reads a report published by Google TIG group. "The actor systematically exported large volumes of data from numerous corporate Salesforce instances."

Salesforce has also confirmed that it was impacted by this supply-chain attack on Salesloft Drift, but only a small number of customers were affected due to a compromised app connection.

What You Need to Know

  • Zscaler and Google have both been targeted by the same supply-chain attack on Salesloft Drift, resulting in unauthorized access to customer credentials and limited visibility into Salesforce information.
  • The attackers gained control of Salesloft Drift credentials, allowing them to access some Zscaler's Salesforce information.
  • Zscaler emphasized that its products, services, and core infrastructure were not compromised.
  • Google urged its customers to review integrations, rotate credentials, and check for breaches after discovering that the attackers used stolen OAuth tokens to access some Google Workspace emails via the Drift Email integration.
  • Salesforce said only a small number of customers were affected due to a compromised app connection.

What You Can Do

Zscaler has urged its customers to remain vigilant against phishing attempts and social engineering attacks, despite the limited impact and no misuse evidence. Google has also advised its customers to review integrations, rotate credentials, and check for breaches after discovering that the attackers used stolen OAuth tokens to access some Google Workspace emails via the Drift Email integration.

Experts recommend that all customers treat connected tokens as compromised and take immediate action to protect themselves. Rotating credentials, reviewing third-party vendors, and reinforcing customer support authentication are essential steps to prevent future attacks.

Stay Safe Online

Supply-chain attacks can be particularly devastating because they target vulnerabilities in the supply chain rather than individual systems or applications. To stay safe online, it's essential to remain vigilant and take proactive measures to protect yourself and your organization from these types of threats.

Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.