How did attackers gain access to Zscaler's systems?

Attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent that was integrated with Zscaler's Salesforce databases. This OAuth token compromise allowed the threat actors to gain unauthorized access to customer Salesforce environments and exfiltrate sensitive data.

What types of data were exposed in the Zscaler breach?

The exposed data includes names of customer contacts and business associates, business email addresses, job titles and professional roles, phone numbers, regional and location details, Zscaler product licensing information, commercial and contractual information, and content from certain customer support cases (excluding file attachments).

How many people were affected by the Zscaler data breach?

The number of affected individuals has not been disclosed by Zscaler. The company described the exposed information as 'commonly available business contact details' and specific Salesforce-related content, but has not provided specific numbers of impacted customers or contacts.

What immediate actions did Zscaler take after discovering the breach?

Zscaler revoked all Salesloft Drift integrations to its Salesforce instance and rotated other API access tokens as a precautionary measure. The company also worked with Salesloft and Salesforce, who collaborated on August 20, 2025, to revoke all active access and refresh tokens associated with the Drift application.

Were sensitive documents and file attachments compromised in the Zscaler breach?

No, according to Zscaler, file attachments and other sensitive documents within support cases remained unaffected by the breach. The unauthorized access was limited to viewing and extracting customer contact information and support case text contents, but did not extend to attached files or documents.

Was this Zscaler breach part of a larger campaign?

Yes, Zscaler was one of many companies affected by a widespread campaign targeting Salesloft Drift customers. The company became aware of the incident when its security team was alerted to the broader attacks affecting multiple organizations that used Salesloft Drift integrated with their Salesforce environments, indicating this was a coordinated supply chain attack.

Incident

Zscaler confirms data breach caused by Salesloft Drift supply chain attack

Q: What happened to Zscaler in the Salesloft Drift data breach?

Cybersecurity company Zscaler experienced a data breach affecting its Salesforce instance after hackers compromised Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases. Between August 8-18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, enabling unauthorized access to customer Salesforce environments.

Q: When did the Zscaler breach occur and when was it discovered?

The attack occurred between August 8-18, 2025, lasting approximately 10 days. Zscaler became aware of the targeted campaign on August 28, 2025, when its security team was alerted to the widespread attacks affecting Salesloft Drift customers - about 10 days after the attack ended.

Q: What parts of Zscaler's infrastructure were affected by the breach?

Zscaler claims that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure. The breach was limited to data stored within the company's Salesforce instance used for customer relationship management.

published: Sept. 1, 2025

Learn More

Cybersecurity company Zscaler is reporting a data breach affecting its Salesforce instance after hackers compromised Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases.

Between August 8-18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, enabling them to gain unauthorized access to customer Salesforce environments and exfiltrate sensitive data.

Zscaler became aware of the targeted campaign on August 28, 2025, when its security team was alerted to the widespread attacks affecting Salesloft Drift customers. The company claims that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure.

The unauthorized access allowed threat actors to view and extract customer contact information and support case contents stored within Zscaler's Salesforce instance. Exposed data includes:

Names of customer contacts and business associates
Business email addresses
Job titles and professional roles
Phone numbers
Regional and location details
Zscaler product licensing information
Commercial and contractual information
Content from certain customer support cases (excluding file attachments)

The number of affected individuals is not disclosed.

The exposed information was described as "commonly available business contact details" and specific Salesforce-related content. Zscaler claims that file attachments and other sensitive documents within support cases remained unaffected by the breach.

Zscaler revoked all Salesloft Drift integrations to its Salesforce instance and rotated other API access tokens as a precautionary measure.

On August 20, 2025, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens associated with the Drift application.

Zscaler has strengthened its customer authentication protocols when responding to support calls to guard against social engineering attacks that could exploit the exposed contact information. The company has also initiated a comprehensive third-party risk management review of all vendors used by Zscaler and implemented additional safeguards to defend against similar supply chain attacks in the future.

Zscaler confirms data breach caused by Salesloft Drift supply chain attack

Read More
UK Ministry of Defence reports data breach exposing …
KillSec ransomware gang claims attack on Clubfit Software …
Roblox reports thrid party data breach of video …
Bank of America reports third party data breach
Australian Star Entertainment casinos reports third party breach …