A widespread supply-chain cyberattack has unfolded, centering on OAuth tokens stolen from the Salesloft – Drift application – a third-party AI-powered sales tool that integrates deeply with platforms such as Salesforce, Slack, and Google Workspace. The campaign, attributed to the threat group UNC6395, ran from August 8 to August 18, 2025, and has impacted hundreds of organizations globally.
Security researchers from Google’s Threat Intelligence Group and Mandiant observed mass exfiltration of sensitive data from connected Salesforce instances, utilizing compromised tokens to query and extract information including AWS access keys, Snowflake credentials, internal support case details, business contact information, and more.
Recognizing the severity, Salesforce disabled all Salesloft integrations, and Salesloft revoked all Drift-related OAuth tokens and removed the app from AppExchange on August 20, 2025.
Impact on Zscaler
Zscaler confirmed its Salesforce instance was accessed due to stolen Drift credentials, though its internal systems, services, and infrastructure remained untouched.
Exposed Data Includes:
- Names, business email addresses, job titles, phone numbers, and regional details
- Zscaler-specific commercial data (product licensing, etc.)
- Plain text from support case communications, excluding attachments and files
Zscaler has found no evidence of misuse so far. In response, the company has revoked Drift access, rotated API tokens, launched an in-depth investigation with Salesforce, enhanced its third-party risk management, and tightened customer authentication protocols to guard against phishing and social engineering attempts.
Impact on Palo Alto Networks
Palo Alto Networks also acknowledged being among the hundreds of affected organizations whose Salesforce CRM was compromised.
Exposed Data Includes:
- Business contact information, internal sales account records, and basic customer case data
- No core systems, products, or services were compromised
Upon discovering the breach, the company severed the Drift integration and deployed their Unit 42 security team for a full investigation. They are reaching out to customers who may have had more sensitive data exposed.
Broader Context & Ongoing Threat Landscape
- The threat actor UNC6395 executed highly targeted exfiltration using Drift OAuth tokens, emphasizing credential harvesting and covert data queries – such as SOQL queries – across vast Salesforce environments.
- Exposed secrets include AWS keys, passwords, and Snowflake tokens.
- Attackers deleted query jobs to obscure detection – employing advanced operational security.
- Google warned that any Drift-related authentication tokens – even beyond Salesforce integrations – should be treated as compromised.
Recommended Actions for Organizations
- Rotate and Revoke All Drift Tokens
Immediately revoke OAuth tokens associated with Drift integrations and rotate any related credentials across Salesforce, Google Workspace, AWS, Snowflake, and other interconnected systems. - Audit Salesforce Objects
Inspect Cases, Accounts, Users, Opportunities, and custom fields for exposed secrets or abnormal data patterns. - Enforce Least-Privilege and Visibility for OAuth/Non-Human Identities
Maintain strict data access scopes, continuous visibility into third-party app permissions, and enforce robust monitoring of behavior. - Harden Third-Party Risk Management Practices
Include contractual assurance, regular auditing, and rapid removal pathways for integrations. - Educate Teams on Phishing Exposure
Given contact data compromise, prepare for phishing or social engineering attempts and reinforce authentication vigilance.
Why This Matters To MEA Region Security Professionals
- The MEA region increasingly relies on third-party SaaS tools in complex workflows. This incident underscores the systemic risk posed by deeply interconnected platforms.
- The breach demonstrates how OAuth-based integrations – especially those using tokens without expiry – can become potent attack vectors.
- MEA organizations must re-evaluate their SaaS posture, focusing on OAuth token lifecycle, real-time monitoring, and integration isolation.
- This event serves as a critical reminder: supply-chain attacks via trusted services can bypass traditional perimeter defenses – making proactive third-party oversight essential.
In Summary
- Victims: Salesloft Drift breach impacted organizations including Zscaler and Palo Alto Networks.
- Attack Vector: Compromised OAuth tokens used to access Salesforce environments; data exfiltration of contact and case info, credentials, and more.
- Response: Affected firms revoked access, rotated tokens, launched investigations, and beefed up third-party security practices.
- Action Needed: Revoke tokens, audit data, apply least-privilege, monitor OAuth usage, and increase phishing awareness.
- Strategic Insight for MEA: Reinforce OAuth governance and third-party integration monitoring to mitigate future SaaS supply-chain threats.