Overview

• Both companies say attackers used stolen OAuth and refresh tokens tied to the Salesloft Drift app to access their Salesforce environments and extract contact and support‑case data.
• Zscaler reports exposure of business contact details, licensing information, and plaintext content from certain support cases, with no impact to its products or infrastructure.
• Palo Alto Networks says the theft involved contact and account information plus basic case text, not technical files or attachments, and confirms no effect on its products, systems, or services.
• Google’s Threat Intelligence Group attributes the campaign to UNC6395 between August 8 and 18, notes mass exports from Account, Contact, Case, and Opportunity objects, and urges treating all Drift‑connected tokens as compromised.
• Investigators cite automated tooling, Tor exit nodes, and a malicious AWS account in related indicators, while vendors have revoked tokens, disabled Drift integrations, and continue forensic reviews with attribution still unproven.