Zscaler Hit in 700-Firm SaaS Hack Targeting Salesforce

Cybersecurity firm Zscaler confirmed a data breach after attackers exploited compromised OAuth tokens linked to Salesloft Drift, a Salesforce-integrated marketing platform. The attack, part of a global supply-chain campaign believed to affect more than 700 organizations, resulted in Zscaler hit in SaaS through unauthorized access to its Salesforce environment. The company stated that its core services and infrastructure remained unaffected.

The threat group UNC6395 executed the intrusion between August 8 and 18, using stolen tokens to bypass multi-factor authentication and extract customer data. Zscaler hit in SaaS included exposure of business contact details, product licensing information, and text from certain support cases. Google and Mandiant researchers have tracked the campaign since early August.

Zscaler quickly revoked Drift’s access, rotated API tokens, and launched a joint investigation with Salesforce. The breach highlights growing risks in SaaS-to-SaaS integrations. Zscaler advises customers to stay alert for phishing attempts using leaked contact data.

Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data