Cybersecurity company Zscaler has confirmed that customer data was exposed in a third-party breach after attackers compromised Salesloft’s Drift platform, part of a larger supply-chain attack impacting hundreds of organizations worldwide.

The incident occurred between August 8 and 18, 2025, when threat actors obtained OAuth and refresh tokens from Drift and used them to infiltrate connected Salesforce environments. Google’s Threat Intelligence Group attributed the campaign to UNC6395, a sophisticated actor capable of bypassing multi-factor authentication. Researchers noted the attackers “used these stolen tokens to authenticate directly into Salesforce customer instances, bypassing multi-factor authentication entirely.”

Zscaler emphasized that its core services and infrastructure were unaffected, with exposure limited to Salesforce CRM data. Stolen information included customer names, business email addresses, phone numbers, job titles, location details, product licensing, and some support case text fields.

“The scope of the incident is confined to Salesloft’s Drift app and does not involve access to any of Zscaler’s products, services or underlying systems and infrastructure,” the company said. It added, “After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information.”

Other major firms, including Palo Alto Networks and Cloudflare, have disclosed similar breaches tied to Drift. Palo Alto Networks described the incident as part of a supply-chain attack that “impacted hundreds of organizations, including Palo Alto Networks,” while Cloudflare confirmed Salesforce data exfiltration between August 12 and 17.

Salesloft and Salesforce revoked all Drift tokens on August 20 and removed the app from Salesforce’s AppExchange marketplace. Google later confirmed that a small number of Workspace accounts integrating Drift Email were also affected, though the company clarified, “The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft Drift; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”

Zscaler has revoked Drift access, rotated API tokens, and launched a joint investigation with Salesforce. The company urged customers to remain alert to phishing and social engineering attempts using exposed contact details.