We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of cybersecurity researchers, writers, and editors continues to help readers maintain their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and detailed examination by the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of cybersecurity researchers, writers, and editors continues to help readers maintain their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and detailed examination by the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Zscaler Warns of Salesloft Drift Breach Impacting Salesforce Users

Zscaler Warns of Salesloft Drift Breach Impacting Salesforce Users
Author Image Hendrik Human
Hendrik Human Published on September 04, 2025 Cybersecurity Researcher

Zscaler, a cybersecurity firm with one of the largest security cloud infrastructures in the world, disclosed a Salesloft Drift supply chain incident impacting many of its Salesforce customers. Hackers reportedly stole Salesloft Drift OAuth and refresh tokens, potentially enabling unauthorized access to Salesforce environments.

In its announcement, Zscaler stressed that none of its other products were compromised in the process. However, they warned that, while it’s unlikely that threat actors can use the stolen information to directly compromise Zscaler customers’ instances, it can be used in further social engineering or phishing scams.

The data stolen is comprised of the following:

  • Names
  • Business email addresses
  • Job titles
  • Phone numbers
  • Regional/location details
  • Zscaler product licensing and commercial information
  • Plain text content from certain support cases

This information could be used to effectively impersonate Zscaler support staff and trick customers into providing further sensitive information or environment access. However, they stated that an extensive investigation “found no evidence to suggest misuse of this information” had already taken place.

Zscaler has also taken numerous precautions to limit the potential impact of the hack and give customers time to respond, including revoking Salesloft Drift access to Zscaler’s Salesforce data and rotating all other API access tokens.

They’ve also committed to implementing additional safeguards, launching a third-party risk management investigation, and stricter authentication protocols when responding to customer support queries.

While no link is confirmed as of yet, the incident is eerily reminiscent of a global wave of Salesforce OAuth token thefts. Tracked as UNC6395 by Google Threat Intelligence, the first incidents were traced back to Aug. 8, 2025, and have claimed many high-profile victims, such as Qantas, Adidas, and even Google itself.

Google is warning all Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

The threat group behind the spate of attacks has not been definitively identified. However, some suspect ShinyHunters, a notorious hacking group also behind one of the largest data breaches of all time, impacting Ticketmaster.

About the Author

Hendrik is a writer at vpnMentor, specializing in VPN comparisons and user guides. With 5+ years of experience as a tech and cybersecurity writer, plus a background in corporate IT, he brings a variety of perspectives to test VPN services and analyze how they address the needs of different users.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Special characters are not allowed in the Name field

Please enter a valid email address