Close Menu
Cybercrime and Ransomware

Zscaler Data Breach: Hackers Steal Salesforce Customer Data

Staff WriterBy No Comments4 Mins Read2 Views

Essential Insights

  1. Zscaler was targeted in a major supply-chain attack via compromised Salesforce OAuth tokens linked to Salesloft Drift, impacting over 700 organizations globally.
  2. The breach, attributed to threat actor UNC6395, allowed hackers to bypass multi-factor authentication and extract contact information without affecting Zscaler’s core security infrastructure.
  3. The compromised data included business contacts, job titles, and Salesforce content, but there is no evidence of data misuse so far.
  4. The incident highlights vulnerabilities in SaaS-to-SaaS integrations, urging organizations to tighten permissions, monitor for suspicious activities, and remain vigilant against social engineering.

The Core Issue

In August 2025, the cybersecurity firm Zscaler revealed it had fallen prey to a large-scale supply-chain attack, which compromised contact information of its customers through hacked Salesforce credentials linked to the marketing platform Salesloft Drift. This breach was part of a broader campaign orchestrated by a sophisticated threat actor known as UNC6395, tracked by Google Threat Intelligence and Mandiant, which targeted OAuth tokens used by Salesloft Drift to automate sales processes via Salesforce. The attackers exploited these stolen tokens by using automated Python tools to access and extract data from hundreds of organizations’ Salesforce accounts, including names, emails, job titles, and regional details, bypassing multi-factor authentication.

Zscaler reported that only non-sensitive business contact information and some Salesforce-specific content were affected, with no evidence of misuse so far. However, this incident is a stark reminder of the vulnerabilities in third-party SaaS integrations—particularly OAuth tokens—that can grant persistent access without alerting security systems. The breach is part of what analysts describe as one of the largest SaaS breaches of 2025, impacting over 700 organizations worldwide. Following the attack, Zscaler took swift action by revoking access tokens, working closely with Salesforce, and strengthening its defenses, but it underscores the need for organizations to stay vigilant, review third-party permissions, and monitor for unusual activity to mitigate future risks.

Risk Summary

In 2025, Zscaler fell victim to a sophisticated supply-chain attack orchestrated by threat actor UNC6395, which exploited compromised OAuth tokens associated with Salesforce-integrated platform Salesloft Drift, impacting over 700 organizations globally. The breach, confined to Zscaler’s Salesforce environment, exposed sensitive business contact details—such as names, emails, job titles, and location data—and some Salesforce-specific content, but did not compromise core security systems or infrastructure. Attackers, utilizing advanced automation tools, bypassed multi-factor authentication to directly access Salesforce customer instances, highlighting the critical vulnerabilities inherent in SaaS-to-SaaS links where tokens can grant persistent access without alerting security protocols. Although no misuse of the stolen data has been confirmed, the incident underscores the escalating danger posed by supply-chain vulnerabilities, especially as they expand across multiple organizations and cloud services, emphasizing the need for rigorous third-party security measures, vigilant monitoring, and swift incident response to mitigate cascading risks in a highly interconnected digital environment.

Possible Action Plan

Addressing a data breach swiftly is crucial to limiting damage, protecting customer trust, and maintaining regulatory compliance. In case of an incident like the Zscaler breach involving compromised Salesforce data, prompt and effective remediation can prevent further data loss and reduce the risk of long-term reputational harm.

Mitigation Steps

  • Immediate Containment: Isolate affected systems to prevent further unauthorized access.
  • Threat Identification: Conduct thorough forensic analysis to understand how the breach occurred.
  • Access Revocation: Reset all compromised credentials and disable unauthorized user accounts.
  • Communication: Notify stakeholders, customers, and regulatory bodies promptly and transparently.
  • Security Patch: Implement necessary software patches and updates to fix vulnerabilities.
  • Monitoring: Enhance real-time monitoring to detect any subsequent suspicious activity.

Remediation Measures

  • Data Restoration: Recover compromised data from secure backups.
  • Enhanced Security Protocols: Strengthen security policies, including multi-factor authentication and encryption.
  • Training & Awareness: Educate employees on security best practices and social engineering threats.
  • Audit & Review: Regularly review security measures and conduct vulnerability assessments.
  • Legal & Compliance: Collaborate with legal teams to ensure compliance with data breach reporting requirements.

Stay Ahead in Cybersecurity

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.