Salesforce Customers, Zscaler Hit by Shinyhunters' Cyberattack via Drift Email Integration
Multiple Salesforce customers, including Zscaler, have been affected by a recent cyber incident. The breach, orchestrated by the hacker group Shinyhunters, compromised sensitive information via the Drift Email integration with Google Workspace.
The attack began when hackers gained access to Salesloft's GitHub account between March and June 2025. They then exploited this access to steal OAuth tokens from Drift's AWS environment. These tokens were used to infiltrate Google Workspace emails via the Drift Email integration, affecting all integrations, not just Salesforce.
Zscaler, one of the impacted customers, has taken swift action. They have revoked Drift's Salesforce access, rotated API tokens, and implemented additional safeguards to prevent future incidents. The exposed information includes business contact details, product licensing, and certain support case content. However, Zscaler's products, services, and core infrastructure remained unaffected.
Google has urged Salesloft Drift users to review their integrations, rotate credentials, and check for breaches. Salesloft has also warned customers that hackers exploited OAuth credentials in the Drift app to steal Salesforce data, affecting a small number of customers.
The cyberattack, conducted by Shinyhunters, has highlighted the importance of robust security measures and regular credential rotation. Zscaler's prompt response demonstrates their commitment to protecting customer data, while Google's guidance serves as a reminder for all users to stay vigilant and proactive in their cybersecurity practices.
