Qualys, Tenable Hit in Salesloft Data Breach
▼ Summary
– Tenable and Qualys were affected by a supply chain attack involving stolen OAuth tokens from the Salesloft Drift application integrated with Salesforce.
– The attackers accessed limited customer information, including support case details and business contact data, but no misuse has been detected.
– Both companies disabled the compromised application, revoked integrations, and took steps to secure their systems and prevent future exploitation.
– The ‘SalesDrift’ hack, first identified by Google, has impacted numerous companies including Cloudflare, Palo Alto Networks, and Zscaler.
– Salesloft revealed the initial breach occurred in March, with attackers stealing tokens in June and launching attacks in late August.
Prominent cybersecurity firms Tenable and Qualys have confirmed unauthorized access to their Salesforce data, becoming the latest victims in a widespread supply chain attack involving stolen OAuth tokens from the Salesloft Drift application. This incident underscores the persistent risks associated with third-party integrations, even among organizations specializing in digital defense.
On September 3, Tenable disclosed that an intruder had accessed certain customer details stored within its Salesforce environment. The compromised information included support case subject lines, initial descriptions, and commonly available business contact details such as names, email addresses, phone numbers, and location data. The company emphasized that its core products and internal data remained unaffected, and there is currently no evidence of misuse of the exposed information.
Qualys issued a similar alert three days later, revealing that attackers had gained limited access to its Salesforce instance using credentials stolen during the same campaign. Like Tenable, the risk management firm confirmed that its products and services continued to operate normally without disruption.
Both companies responded swiftly by disabling the Salesloft Drift application, revoking related integrations, and rotating credentials. Tenable further hardened its Salesforce environment and connected systems to prevent future exploitation. Qualys is working with Salesforce and Google Cloud’s Mandiant to investigate the incident and contain any potential unauthorized access.
This attack, often referred to as the ‘SalesDrift’ hack, was first identified by Google’s Threat Intelligence Group on August 26. Google itself was among the early targets, with attackers using stolen tokens to access a limited number of Google Workspace email accounts on August 9. Since then, a growing list of companies, including Cloudflare, Palo Alto Networks, Zscaler, and Okta, have reported impacts or attempted intrusions.
Okta successfully blocked an attack attempt linked to the campaign, crediting enhanced security controls implemented after previous breaches. The identity security firm restricted inbound IP access to Salesforce, which effectively neutralized the threat before any damage could occur.
Nudge Security has developed a public dashboard tracking all organizations affected by the incident, complete with compromise dates and links to official advisories.
According to a September 7 update from Salesloft, the initial breach occurred in March, though attackers remained dormant while mapping internal systems. They exfiltrated OAuth tokens in June and began actively targeting customer networks in late August. Salesloft has since restored integration between its platform and Salesforce.
(Source: Info Security)
