Supply-Chain Attack via Salesloft Drift Compromises Zscaler and Palo Alto Networks

Two prominent cybersecurity providers — Zscaler and Palo Alto Networks — have confirmed limited data exposure following a widespread supply-chain attack targeting Salesloft Drift, a third-party SaaS marketing integration platform.

What Happened

• Between August 8–18, 2025, threat actors operating under the name UNC6395 breached Salesloft Drift by stealing OAuth and refresh tokens tied to Salesforce integrations.

• This enabled exfiltration of Salesforce customer data, including that of Zscaler and Palo Alto Networks.

• Exposed data included business contacts, job titles, email addresses, phone numbers, product and licensing details, and limited support case records.

• Importantly, no products, services, or infrastructures of the affected companies were compromised.

Company Responses & Impact

• Zscaler: Confirmed unauthorized access to Salesforce contact and case data, stressing there is no evidence of misuse and that its platforms remain unaffected.

• Palo Alto Networks: Reported exposure limited to its Salesforce CRM environment, involving mostly business contact and account information. Their Unit 42 team concluded no products or systems were impacted.

• Salesloft & Salesforce: Revoked tokens and suspended integrations; Salesforce disabled all Salesloft integrations until further notice.

• Google/Mandiant: Advised all Salesloft Drift customers to treat authentication tokens as compromised.

Broader Risks

Investigations indicate attackers used anti-forensic techniques to conceal their queries in Salesforce logs. Security researchers warn the scope could extend beyond Salesforce, potentially affecting Google Workspace and other cloud environments. Analysts estimate 700+ organizations may have been impacted.

Recommendations for Organizations

• Audit & Rotate Credentials: Revoke and rotate OAuth tokens, API keys, and exposed secrets.

• Review Logs: Check Salesforce, identity provider, and network flow logs for suspicious activity.

• Prepare for Social Engineering: Be alert to phishing campaigns leveraging exposed business contact data.

• Adopt Zero Trust: Treat all integrations as potential attack vectors and implement continuous monitoring.

DIAMATIX Insight: Every integration is a potential breach point. Our SOCaaS and MDRaaS with Shield XDR provide 24×7 monitoring, advanced detection, and containment to protect against supply-chain threats.

Trusted · Innovative · Vigilant.