According to Zscaler, the Salesforce breach is connected to Salesloft Drift, where Salesforce customer data was stolen and SaaS integration was compromised.

Cybersecurity Company Zscaler has reported a supply chain attack targeting Salesforce integrations that ultimately exposed customer contact information via compromised Salesloft Drift credentials. The attack, which was revealed on August 31, 2025, is just part of a broader campaign that has affected more than 700 organizations across the world.

Zscaler explained that the hack was to its Salesforce environment only and it had no effect on its products and infrastructure. Threat actor UNC6395 used OAuth tokens to access Salesforce customer instances directly without going through multi-factor authentication and to automate data theft on hundreds of accounts.

The breached information consisted of names, emails, job titles, and Salesforce-specific information, e.g., product licensing details and support case text. Zscaler emphasized that they have not yet detected any instances of misuse.

The company then blocked Drift's access to its Salesforce data and implemented API rotation and collaboration with Salesforce to provide additional protection. Other events Salesloft notified Salesforce on August 20 that all of its active Salesloft tokens in the Drift application had been revoked and the application was no longer visible on AppExchange.

The hack demonstrates the dangers of third-party SaaS integration. Zscaler advised companies to reconsider what the connected apps can do and restrict usage and inspect suspicious factors.