Diagram illustrating Zscaler Salesforce OAuth token breach by UNC6395 threat group in 2025

On August 31, 2025, Zscaler revealed that attackers compromised its Salesforce environment by hijacking OAuth tokens linked to Salesloft Drift, a marketing automation tool. While core security systems remained secure, sensitive Salesforce data—including names, emails, job titles, and some customer support content—was exposed.

Diagram illustrating Zscaler Salesforce OAuth token breach by UNC6395 threat group in 2025Diagram illustrating Zscaler Salesforce OAuth token breach by UNC6395 threat group in 2025

The breach, attributed to threat group UNC6395, involved automated Python tools and affected over 700 companies, mainly in tech. Google also confirmed compromised OAuth tokens gave attackers limited access to Google Workspace accounts, raising concerns about cascading supply-chain risks.

Diagram illustrating Zscaler Salesforce OAuth token breach by UNC6395 threat group in 2025Diagram illustrating Zscaler Salesforce OAuth token breach by UNC6395 threat group in 2025

Zscaler and Salesforce revoked affected tokens and removed the Drift app to contain the incident. The breach highlights the risks of SaaS-to-SaaS integrations and the stealthy nature of OAuth token misuse. Organizations are urged to review third-party access, tighten permissions, and enhance monitoring to prevent similar attacks.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security