Hackers have exploited a vulnerability in the Salesloft Drift application to steal OAuth tokens and access Salesforce data, leading to the exposure of sensitive customer information across several major companies.

Victims include cybersecurity and technology leaders such as Palo Alto Networks, Zscaler, and PagerDuty. The attack, while not aimed directly at the companies’ core systems, highlights the growing risks tied to third-party software dependencies.

The breach, attributed to a group tracked as UNC6395, is being described as a classic “supply chain” attack. Salesloft Drift, a widely used sales and marketing automation platform, was compromised, allowing attackers to steal OAuth tokens that connect the app to Salesforce services. With these stolen credentials, the hackers gained unauthorized access to Salesforce environments at hundreds of organizations, exposing valuable business contact details. PagerDuty reported first being alerted to the incident on August 20, 2025, and later confirmed that Salesforce data had been accessed, including names, email addresses, phone numbers, and job titles.

Zscaler quickly responded by confirming that the compromise was isolated to Salesforce and did not impact its infrastructure or products. The company launched a third-party risk management review, strengthened customer authentication protocols for support services, and advised clients to remain vigilant against potential phishing attempts. Similarly, PagerDuty reassured customers that no other systems were affected and reminded users it would never request passwords or secure details by phone, aiming to reduce the risk of follow-on scams.

Palo Alto Networks also confirmed unauthorized access to one of its Salesforce instances through the Salesloft Drift integration. In response, it revoked the compromised OAuth tokens, disabled the affected integration, and collaborated with both Salesforce and Salesloft in its investigation. According to the company, the breach was limited to business contact details, account records, and case metadata, with no exposure of its security products or customer network data. Impacted customers were notified, and Palo Alto Networks pledged to strengthen internal safeguards to prevent similar incidents.

This attack is part of a broader trend of Salesforce-related breaches. TransUnion recently disclosed a separate third-party compromise that exposed the personal data of 4.4 million U.S. consumers, including Social Security numbers. Security experts warn that as organizations increasingly rely on third-party SaaS platforms, attackers will continue exploiting these integration points. The incident underscores the need for stronger supply chain security, proactive monitoring, and enhanced identity safeguards to reduce the risks of large-scale data theft.