Hackers leveraged vulnerabilities in the Salesloft Drift application to acquire OAuth tokens, resulting in unauthorized access to Salesforce data and exposing sensitive customer information at several major technology companies.
A significant cyber intrusion has involved a group known as UNC6395, which has reportedly compromised sensitive customer data across various organizations, including prominent players in cybersecurity and technology, such as Palo Alto Networks, Zscaler, and PagerDuty.
This incident did not directly target the core systems of these firms. Instead, it exploited a weakness in the widely employed Salesloft Drift, a sales and marketing software-as-a-service solution utilized by businesses to automate their sales processes.
The Supply Chain Breach
The attack represented a classic “supply chain” breach, wherein the attacker obtained OAuth tokens—digital keys enabling the Drift application to connect to additional services. This allowed unauthorized access to the Salesforce accounts of numerous companies, jeopardizing a trove of customer data.
PagerDuty reported the incident, detailing a timeline that indicated the company became aware of the situation on August 20, 2025, with further revelations on August 23 that the attackers could have accessed their Salesforce information. The leaked data included crucial business contact information such as names, email addresses, job titles, and phone numbers.
Zscaler’s Response
Zscaler, in an official statement, clarified that the breach remained confined to Salesforce and did not affect its primary products or services. They implemented several proactive measures, including launching an investigation into third-party risks and enhancing customer authentication protocols during support interactions. Although Zscaler stated that no evidence of misuse had been discovered, they advised customers to remain vigilant against potential phishing schemes.
PagerDuty’s Response
In parallel, PagerDuty echoed Zscaler’s assurance, stating in their update that no indication suggested unauthorized access to its internal systems beyond Salesforce. The company emphasized its policy against contacting individuals by phone for sensitive information such as passwords, thus reinforcing customer confidence.
Palo Alto Networks’ Response
Palo Alto Networks confirmed that one of its Salesforce instances had been breached through the compromised Salesloft integration. They quickly deactivated the integration and collaborated with both Salesforce and Salesloft to conduct a thorough investigation, revoking the affected OAuth tokens. The firm specified that the breach was limited to general business contact details, sales account data, and case metadata, with no adverse effects on their security offerings or customer networks. Furthermore, they proactively informed customers whose data was potentially affected and are currently assessing internal measures to preclude future vulnerabilities.
This incident is part of an extensive series of breaches targeting Salesforce ecosystems. Notably, TransUnion recently reported that a cyberattack on a third-party application, possibly linked to Salesforce, compromised the personal information of approximately 4.4 million U.S. consumers, including sensitive identifiers such as Social Security numbers.
The pattern exhibited in these breaches underscores the inherent risks associated with third-party applications. Cybersecurity experts, including teams from Google’s Threat Intelligence Group, continue to analyze the overarching implications of this organized data theft.
