Zscaler, a leading cloud security provider, confirmed a data breach stemming from a compromised Salesloft Drift integration with Salesforce. Attackers exploited stolen OAuth tokens to access customer contact records and limited support-case text data. Crucially, Zscaler’s internal systems and core infrastructure were unaffected. ([turn0news20]; [turn0search9])
The breach is part of a larger supply-chain attack targeting OAuth tokens tied to Salesloft Drift, a popular AI-driven chat and sales workflow tool—impacting over 700 organizations globally, as tracked by threat actor UNC6395 and security firms Google’s Threat Intelligence Group and Mandiant. ([turn0search9]; [turn0search8])
Exposed data includes:
- Names, business emails, job titles, phone numbers, and regional info
- Commercial/licenses tied to Zscaler products
- Plain-text fields from select support cases—excluding attachments and files
([turn0news20]; [turn0search2])
Zscaler acted swiftly, revoking Drift access, rotating API/OAuth tokens, launching a forensic investigation with Salesforce, and ramping up third-party risk governance and phishing safeguards. As of now, there is no evidence of data misuse. ([turn0news20]; [turn0search2]; [turn0news21])
Why It Matters for AVGC & Tech Ecosystems
| Insight | Implication |
|---|---|
| Trust in Vendor Ecosystems | Even industry-leading security firms can be compromised via SaaS integration pathways. |
| Critical Role of Token Management | OAuth tokens can bypass MFA, highlighting the importance of secure token governance. |
| Shared Risk in SaaS Supply Chains | A breach at a third-party SaaS tool can ripple through dependent organizations, regardless of their own defenses. |
| Urgency of Defense-in-Depth | Robust incident response, zero-trust design, and tight SaaS integration policies are vital for business resilience. |
