On August 31, 2025, Zscaler disclosed that attackers had infiltrated its Salesforce environment by compromising OAuth tokens associated with Salesloft Drift, a marketing and workflow automation platform. The company emphasized that its core security services and infrastructure remained untouched, and the incident was confined to Salesforce data. Yet the breach illustrates the growing vulnerabilities hidden within SaaS-to-SaaS integrations—systems that often bypass traditional security checks.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
The attack, part of a larger campaign tracked since early August, has been attributed to the threat group UNC6395 by Google’s Threat Intelligence and Mandiant researchers. Investigators believe the group leveraged Python-based tools to automate data theft across hundreds of organizations.
Information Exposed and Immediate Response
According to Zscaler, compromised information included names, business email addresses, job titles, phone numbers, regional identifiers, and Salesforce-specific licensing and commercial data. In some cases, plain-text content from customer support tickets was also exposed, though the company stressed that attachments and sensitive files were not affected.
In response, Zscaler revoked Salesloft Drift’s API access and rotated all affected tokens. Salesforce simultaneously removed the Drift app from its marketplace and revoked all associated tokens. Both firms are conducting joint investigations to prevent recurrence.
Expanding Scope of the Campaign
Initially thought to affect only Salesforce instances, the campaign’s scope expanded when Google confirmed that OAuth tokens for Drift Email had also been compromised. This gave attackers limited but concerning access to Google Workspace accounts, raising the specter of cascading supply-chain failures across the technology sector.
Security researchers now describe the incident as the most significant SaaS breach campaign of 2025, with more than 700 companies worldwide implicated. Most victims are in the technology and software industries, where interlinked cloud services are routine.
Lessons From the Breach
Although Zscaler reports no evidence of misuse, it has warned customers of potential phishing and social engineering campaigns leveraging exposed contact details. The company urged clients to remain alert, stressing that its official support will never request authentication credentials through unsolicited communications.
Experts argue the breach underscores a structural weakness: OAuth tokens can provide persistent access without triggering standard security alerts, allowing attackers to move silently across cloud ecosystems. For organizations, the incident is a stark reminder to review third-party integrations, revoke broad permissions, and implement continuous monitoring of SaaS environments.