"Data breach" always seems scary, doesn't it? Recently Zscaler, a large cyber security vendor was breached and customer data was accessed. The best part is that it wasn't even Zscaler's fault - they were breached because of one of their products that they used and were integrated with-- Salesloft Drift. Drift was breached and because Drift was connected to Salesforce, that's how the breach happened. Let's take you through it.
- Customer name and title
- Work email and phone number
- Locations
- Zscaler product license information
- Parts of customer support information (not files/documents associated with case)
This type of information could allow hackers to create phishing scams or phishing emails.
Google contacted users that the hackers were active between August 8 - 18, 2025 and told any organization using Drift integrations to assume their tokens were compromised. This highlights how much risk I could have been mitigated from the use of third-party tools, and how just a simple integration with broad access can put you under larger risks.
It was nice to see Zscaler take strong action to limit the risk.
• Evaluate what access permissions do apps actually require,
• Conduct regular reviews of integrations,
• Be prepared to immediately turn them off if things go sideways.
The Incident
So it turns out, Zscaler was using something called Salesloft Drift, which syncs your information to Salesforce. The criminal hackers accessed Salesloft Drift and retrieved codes called OAuth tokens. An OAuth token is a coded piece of information--and in this case, it allowed the three applications--Salesloft, Drift and Zscaler--to communicate. So since Zscaler used Drift the criminals were able to access some Zscaler customer data.Summary of Information Leaked
The leaked information was not credentials or payment information but was still sensitive information:- Customer name and title
- Work email and phone number
- Locations
- Zscaler product license information
- Parts of customer support information (not files/documents associated with case)
This type of information could allow hackers to create phishing scams or phishing emails.
The Larger Issue: Supply Chain Compromise
The larger issue is that Zscaler was not the only enterprise impacted. The hacker(s) used the same Drift integration to compromise other enterprises as well. The hackre also used the same API to compromise organizations using Google Workspace, AWS, and Snowflake.Google contacted users that the hackers were active between August 8 - 18, 2025 and told any organization using Drift integrations to assume their tokens were compromised. This highlights how much risk I could have been mitigated from the use of third-party tools, and how just a simple integration with broad access can put you under larger risks.
Actions of Zscaler
Upon being made aware, they acted quickly and removed all Drift integrations on their platform, changed or refreshed a significant amount of additional security tokens, tightened customer support by verifying customer identities more rigorously, and initiated a broad investigation to try to comprehend (to even a small degree) the depth of exposure, the risks, and some of the ramifications.It was nice to see Zscaler take strong action to limit the risk.
So why you people should worry?
Who knows how many apps/tools you have connected to your accounts - each one, potential vulnerabilities to bad actors. One weak link could be, the one that collapses the chain. This hack should cause companies to consider:• Evaluate what access permissions do apps actually require,
• Conduct regular reviews of integrations,
• Be prepared to immediately turn them off if things go sideways.
