The data of an unknown number of customers at Zscaler has been leaked due to a cyberattack on Salesforce. The American cloud security company is now warning affected customers of phishing attacks and social engineering attempts.
“The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler’s products, services, or underlying systems and infrastructure,” Zscaler stated in a press release regarding the incident.
The security company was the victim of a campaign targeting Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information. According to Zscaler, the cyberattack impacted a large number of Salesforce customers.
The attackers managed to gain access to Salesloft Drift OAuth tokens, which enabled them to exfiltrate business contact details and specific Salesforce-related content. This includes full names, job titles, business email addresses, phone numbers, location details, Zscaler product licensing and commercial information, as well as plain text content from support cases.
An extensive investigation reveals no evidence of the information’s misuse. However, affected customers should be wary of potential phishing attacks or social engineering attempts, which could expose additional contact details or personal information.
Therefore, Zscaler is informing customers that the company will never request authentication or authorization details via phone calls or SMS.
To mitigate the risks of the data breach, Zscaler has revoked Salesloft Drift’s access to Zscaler’s Salesforce data. Additional safeguards to defend against similar incidents in the future have been implemented as well. Lastly, Zscaler’s Customer Support team has strengthened the customer authentication protocol when responding to customer calls to protect against potential phishing attacks.
The first reports of the cyberattack on Salesloft Drift emerged on August 20th. However, according to Google’s Threat Intelligence Group, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift but impacts other integrations as well.
Google’s security researchers suggest that the data theft campaign, which dates back to August 8th, 2025, was carried out by UNC6395, an assessed Chinese threat actor.
Your email address will not be published. Required fields are markedmarked