Zscaler Faces Customer Data Breach Through Salesloft Drift Supply Chain Attack

🎙️ Dive Deeper with Our Podcast!

The cybersecurity landscape has been shaken by another significant data breach, this time affecting Zscaler, a prominent cybersecurity company that ironically specializes in protecting organizations from digital threats. The incident highlights the growing vulnerability of supply chain attacks and their cascading effects across the technology ecosystem.

What Happened in the Zscaler Data Breach?

On September 1, 2025, Zscaler disclosed a data breach after unauthorized threat actors successfully infiltrated their Salesforce environment through a compromised third-party service. The breach occurred as part of a broader supply chain attack targeting Salesloft Drift, an AI-powered chat integration platform that connects with Salesforce systems. The attackers managed to steal OAuth and refresh tokens from Salesloft Drift, which provided them with legitimate credentials to access customer Salesforce environments. These stolen credentials acted as digital skeleton keys, allowing the cybercriminals to bypass normal security measures and gain unauthorized access to sensitive customer information.

The Scope of Compromised Information

The data breach exposed several categories of sensitive customer information stored within Zscaler’s Salesforce instance. The compromised data includes personal identifiers such as full names, business email addresses, job titles, and phone numbers of affected customers. Additionally, the breach exposed regional and location details, which could be particularly valuable for targeted social engineering attacks.

Beyond personal information, the attackers also accessed commercial data including Zscaler product licensing information and detailed content from customer support cases. This type of information is particularly concerning, as support cases often contain technical details, configuration information, and sometimes even authentication credentials that customers share when seeking assistance.

Understanding the Salesloft Drift Supply Chain Attack

The root cause of this breach traces back to a sophisticated supply chain attack targeting Salesloft Drift, which serves as an AI chat agent integrated with Salesforce platforms. This attack represents a classic example of how cybercriminals are increasingly targeting trusted third-party services to gain access to multiple downstream victims.

Google Threat Intelligence identified the threat actor behind these attacks as UNC6395, a group that has demonstrated advanced operational security awareness. The group specifically targets sensitive credentials, including Amazon Web Services access keys, passwords, and various authentication tokens stored within support systems.

What makes this attack particularly concerning is the methodical approach taken by the cybercriminals. They actively deleted query jobs to cover their tracks, though fortunately, system logs remained intact, providing organizations with the ability to investigate the extent of data exposure.

The Broader Impact Beyond Zscaler

This supply chain attack extended far beyond Zscaler’s systems, affecting multiple organizations that relied on Salesloft Drift integrations. The compromise impacted both Drift Salesforce integration and Drift Email services, which many companies use for managing email communications and organizing customer relationship management databases.

The attackers leveraged stolen OAuth tokens to access Google Workspace email accounts, allowing them to read emails and potentially gather additional intelligence about their targets. This multi-vector approach demonstrates the sophisticated nature of modern cyber attacks and their potential for widespread damage across interconnected business systems.

Connection to Ongoing Salesforce Attacks

Security researchers have identified potential connections between this Salesloft Drift compromise and ongoing attacks by the ShinyHunters extortion group, which has been conducting systematic social engineering campaigns against Salesforce users throughout 2025.

These attacks typically involve voice phishing campaigns where attackers impersonate legitimate service representatives to trick employees into linking malicious OAuth applications with their company’s Salesforce instances. Once these connections are established, the threat actors gain persistent access to organizational databases and use the stolen information for extortion purposes.

The list of organizations affected by these related attacks reads like a who’s who of major corporations, including Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and luxury brands within the LVMH portfolio, including brands like Louis Vuitton, Dior, and Tiffany & Co.

Zscaler’s Response and Remediation Efforts

Following the discovery of the breach, Zscaler implemented several immediate security measures to contain the incident and prevent further unauthorized access. The organization fully removed every Salesloft Drift integration from its Salesforce environment and, as a safeguard, replaced all associated API tokens.

The organization has also enhanced its customer authentication protocols for support interactions to better defend against potential social engineering attacks that might exploit the compromised information. Additionally, Zscaler is conducting a comprehensive investigation into the incident to understand the full scope of the breach and implement additional protective measures.

Industry-Wide Response and Temporary Measures

In response to the widespread nature of this supply chain attack, both Google and Salesforce have taken the unprecedented step of temporarily disabling their Drift integrations. This industry-wide response demonstrates the seriousness of the threat and the need for thorough investigation before normal operations can resume.

These temporary measures, while disruptive to business operations, reflect the responsible approach needed when dealing with supply chain compromises that affect multiple organizations and potentially millions of users.

Protecting Against Social Engineering Attacks

Organizations must recognize that the information exposed in this breach makes affected customers prime targets for sophisticated social engineering attacks. Cybercriminals can use the combination of personal information, job titles, and technical details from support cases to craft highly convincing phishing emails and phone calls.

Employees should be particularly vigilant about unsolicited communications that reference specific details about their organization’s Zscaler implementations or recent support interactions. These details, now potentially in the hands of cybercriminals, could be used to establish false credibility and bypass normal security awareness protocols.

Long-term Implications for Supply Chain Security

This incident underscores the critical importance of supply chain security in today’s interconnected business environment. Organizations can no longer view cybersecurity as solely their own responsibility but must consider the security posture of every third-party service and integration they utilize.

The cascading effects of this single compromise across multiple major organizations highlight the need for more robust vendor security assessments and continuous monitoring of third-party integrations. Companies must develop comprehensive incident response plans that account for supply chain compromises and their potential multi-organization impact.

Frequently Asked Questions

What specific customer information was compromised in the Zscaler breach? The breach exposed customer names, business email addresses, job titles, phone numbers, regional location details, Zscaler product licensing information, and content from customer support cases. Nonetheless, Zscaler’s products, services, and core infrastructure remained unaffected.

How were the attackers able to access Zscaler’s systems? Attackers compromised Salesloft Drift, a third-party AI chat service that integrates with Salesforce. They stole OAuth and refresh tokens from Drift, which allowed them to access Zscaler’s Salesforce instance using legitimate credentials.

Is my organization at risk if we use Zscaler services? The incident was limited to Zscaler’s Salesforce customer database and did not impact any of its security offerings or services. However, customers should remain vigilant against potential phishing and social engineering attacks that might use the exposed information.

What immediate actions should affected customers take? Customers should be extra cautious about unsolicited communications referencing their Zscaler relationship or support interactions. Implement additional verification procedures for any requests involving account changes or sensitive information sharing.

How widespread was this supply chain attack? The incident impacted several prominent companies in addition to Zscaler, among them Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, as well as luxury houses within LVMH’s portfolio like Louis Vuitton, Dior, and Tiffany & Co.

How has Zscaler responded to the security breach? Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, strengthened customer authentication protocols, and is conducting a thorough investigation. They are also working with law enforcement and security partners.

Could this be connected to other recent Salesforce attacks? Security researchers believe this incident may be connected to ongoing attacks by the ShinyHunters extortion group, which has been conducting social engineering campaigns against Salesforce users throughout 2025.

What should organizations do to protect against similar supply chain attacks? Organizations should conduct thorough security assessments of all third-party integrations, implement continuous monitoring of vendor security postures, develop comprehensive incident response plans for supply chain compromises, and provide regular security awareness training focusing on social engineering tactics.

How Technijian Can Strengthen Your Cybersecurity Defense

In light of sophisticated supply chain attacks like the one affecting Zscaler, organizations need comprehensive cybersecurity strategies that go beyond traditional perimeter defense. Technijian specializes in developing multi-layered security approaches that address the evolving threat landscape and protect against both direct attacks and supply chain compromises.

Our cybersecurity experts work with organizations to implement robust vendor risk management programs, ensuring that third-party integrations undergo thorough security assessments before implementation and continuous monitoring throughout their lifecycle. We help establish incident response protocols specifically designed to handle supply chain compromises and their cascading effects across business operations.

Technijian’s security awareness training programs are specifically designed to help employees recognize and respond to social engineering attacks that leverage compromised information from data breaches. Our training modules cover the latest attack vectors and provide practical guidance for verifying the authenticity of communications, especially those that reference specific organizational details.

Additionally, our team provides comprehensive security architecture reviews to identify potential single points of failure in your technology stack and implement appropriate safeguards. We work closely with organizations to develop resilient systems that can maintain operations even when third-party services experience security incidents.

Contact Technijian today to schedule a comprehensive security assessment and learn how we can help protect your organization against sophisticated cyber threats and supply chain attacks.

About Technijian

Technijian is a premier managed IT services provider, committed to delivering innovative technology solutions that empower businesses across Southern California. Headquartered in Irvine, we offer robust IT support and comprehensive managed IT services tailored to meet the unique needs of organizations of all sizes. Our expertise spans key cities like Aliso Viejo, Anaheim, Brea, Buena Park, Costa Mesa, Cypress, Dana Point, Fountain Valley, Fullerton, Garden Grove, and many more. Our focus is on creating secure, scalable, and streamlined IT environments that drive operational success.

As a trusted IT partner, we prioritize aligning technology with business objectives through personalized IT consulting services. Our extensive expertise covers IT infrastructure management, IT outsourcing, and proactive cybersecurity solutions. From managed IT services in Anaheim to dynamic IT support in Laguna Beach, Mission Viejo, and San Clemente, we work tirelessly to ensure our clients can focus on business growth while we manage their technology needs efficiently.

At Technijian, we provide a suite of flexible IT solutions designed to enhance performance, protect sensitive data, and strengthen cybersecurity. Our services include cloud computing, network management, IT systems management, and disaster recovery planning. We extend our dedicated support across Orange, Rancho Santa Margarita, Santa Ana, and Westminster, ensuring businesses stay adaptable and future-ready in a rapidly evolving digital landscape.

Our proactive approach to IT management also includes help desk support, cybersecurity services, and customized IT consulting for a wide range of industries. We proudly serve businesses in Laguna Hills, Newport Beach, Tustin, Huntington Beach, and Yorba Linda. Our expertise in IT infrastructure services, cloud solutions, and system management makes us the go-to technology partner for businesses seeking reliability and growth.

Partnering with Technijian means gaining a strategic ally dedicated to optimizing your IT infrastructure. Experience the Technijian Advantage with our innovative IT support services, expert IT consulting, and reliable managed IT services in Irvine. We proudly serve clients across Irvine, Orange County, and the wider Southern California region, helping businesses stay secure, efficient, and competitive in today’s digital-first world.