{"id":2719,"date":"2025-09-08T12:52:27","date_gmt":"2025-09-08T12:52:27","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/08\/qualys-tenable-latest-victims-of-salesloft-drift-hack\/"},"modified":"2025-09-08T12:52:27","modified_gmt":"2025-09-08T12:52:27","slug":"qualys-tenable-latest-victims-of-salesloft-drift-hack","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/08\/qualys-tenable-latest-victims-of-salesloft-drift-hack\/","title":{"rendered":"Qualys, Tenable Latest Victims of Salesloft Drift Hack"},"content":{"rendered":"
\n

Cybersecurity providers Tenable and Qualys are the latest in a growing list of companies affected by a significant supply chain attack targeting Salesforce customer data.<\/p>\n

The campaign involved the theft of OAuth authentication tokens connected to Salesloft Drift, a third-party application integrated with Salesforce used to automate workflows and manage leads and contact information.<\/p>\n

In a security alert on September 3, vulnerability assessment firm Tenable said that an unauthorized user gained access to a portion of some of its customers\u2019 information stored in the company\u2019s Salesforce instance.<\/p>\n

This data included subject lines and initial descriptions provided by customers when opening a Tenable support case as well as commonly available business contact information, such as names, business email addresses, phone numbers and location references.<\/p>\n

\u201cAt this time, we have no evidence that any of this information has been misused,\u201d the security provider noted. Tenable products and data within the Tenable product suite were unaffected.<\/p>\n

Three days later, risk management firm Qualys issued a similar alert, stating the credentials stolen during the campaign of OAuth token theft had allowed attackers \u201climited access to some Qualys Salesforce information.\u201d<\/p>\n

Like Tenable, Qualys confirmed that its products and services were not affected and were still fully operational.<\/p>\n

Both firms said they disabled the Salesloft Drift application and revoked associated integrations with their systems and\/or rotated integration credentials.<\/p>\n

Tenable also hardened its Salesforce environment and other connected systems to reduce the likelihood of future exploitation.<\/p>\n

Qualys said it had worked to contain any potential unauthorized access. The risk management provider is also collaborating with Salesforce and with Google Cloud\u2019s Mandiant to investigate the incident.<\/p>\n

\u2018SalesDrift\u2019 Hack: A Growing Victim List<\/strong><\/h2>\n

The Salesloft Drift supply chain attack (also known as the \u2018SalesDrift\u2019 hack) was first identified by the Google Threat Intelligence Group (GTIG), which shared its findings on August 26.<\/p>\n

Google itself was among the targets, as an attacker exploited stolen authentication tokens to infiltrate email accounts in a limited number of Google Workspace users on August 9.<\/p>\n

Since then, a flurry of companies have confirmed they had been affected, including \u00a0BeyondTrust, Bugcrowd, Cato Networks, Cloudflare, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Palo Alto Networks, Rubrik, SpyCloud, Tanium and Zscaler.<\/p>\n

Okta revealed on September 2 that it had successfully blocked an attack attempt linked to the Salesloft Drift campaign.<\/p>\n

The identity security firm stated that enhanced security controls put in place following previous breaches in 2022 and 2023 helped prevent the attack.<\/p>\n

These measures included restricting inbound IP access to Salesforce, which Okta said stopped the unauthorized access attempt before it could succeed.<\/p>\n

Nudge Security has created a dashboard which tracks all companies affected by the \u2018SalesDrift\u2019 hack and includes the dates of the compromises and links to the security advisories.<\/p>\n

Initial Salesloft Drift Compromise in March<\/strong><\/h2>\n

According to a September 7 update by Salesloft, hackers first breached the sales automation platform back in March.<\/p>\n

The attackers remained dormant while mapping out the company\u2019s internal systems before stealing OAuth tokens from Salesloft customers in June.<\/p>\n

They then began leveraging those tokens to target customer networks starting in late August.<\/p>\n

In a later update, also published on September 7, Salesloft indicated that the integration between the Salesloft platform and Salesforce is now restored.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity providers Tenable and Qualys are the latest in a growing list of companies affected by a significant supply chain attack targeting Salesforce customer data. The campaign involved the theft of OAuth authentication tokens connected to Salesloft Drift, a third-party application integrated with Salesforce used to automate workflows and manage leads and contact information. In<\/p>\n","protected":false},"author":2,"featured_media":2720,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2719","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2719-3e8c2013-33cf-496e-8c00-f876cde6722d-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2719"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2719\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2720"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2719"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}