Salesloft confirmed that only a small subset of customers was affected due to compromised app connections and advised impacted users to re-authenticate their Salesforce integrations.

Google Threat Intelligence tracked the threat actors, identified as UNC6395, who targeted Salesforce support cases to steal authentication tokens, passwords, and secrets, employing operational security measures like deleting query jobs to cover their tracks.

The same threat group searched through the exfiltrated data for secrets that could be exploited to compromise environments, emphasizing the severity of the breach.

Since June, numerous organizations including Google, Cisco, Farmers Insurance, and luxury brands like Louis Vuitton and Tiffany & Co. have reported data breaches linked to similar Salesforce social engineering attacks.

Zscaler clarified that only its Salesforce data was affected and that no other products or infrastructure were compromised; the company responded by revoking API tokens, enhancing authentication protocols, and conducting a thorough investigation.

This incident highlights the risks associated with third-party integrations and underscores the importance of credential rotation, log review, and proactive security measures to prevent further data exfiltration.

A significant supply-chain attack involving Salesloft Drift has led to a data breach affecting Zscaler and other Salesforce customers, with threat actors stealing OAuth tokens to access sensitive information.

Investigations by Google and Mandiant revealed that the breach was more extensive than initially believed, impacting all integrations with Salesloft Drift, including Google Workspace emails accessed through stolen OAuth tokens.

The breach originated when threat actors stole OAuth tokens from Salesloft's third-party platform, SalesDrift, which connects Drift's AI chat features to Salesforce CRM, resulting in data theft.

In response, Zscaler revoked Drift’s Salesforce access, rotated API tokens, and strengthened security measures, while advising customers to remain vigilant against phishing and social engineering threats.

Initial investigations indicate that the primary goal of the attackers was to steal credentials and sensitive information, with no evidence of ongoing malicious activity or impact on customers not using the Drift-Salesforce integration.

ShinyHunters claimed responsibility for the attack, which was facilitated by the theft of OAuth and refresh tokens, allowing the hackers to pivot into customer environments.

The attack is believed to overlap with previous campaigns by the ShinyHunters group, which used social engineering tactics such as vishing to trick employees into linking malicious OAuth apps, leading to widespread breaches and data extortion.

The breach also affected Drift Email and Google Workspace email accounts, prompting Google and Salesforce to temporarily disable Drift integrations during the investigation.

Between August 8 and August 18, 2025, the attackers exfiltrated large volumes of Salesforce data, including Cases, Accounts, Users, and Opportunities, primarily targeting credentials such as AWS access keys and Snowflake tokens.

The attack lasted approximately ten days, during which the threat actors exfiltrated sensitive data, including credentials like AWS access keys, passwords, and Snowflake tokens.