Qualys, Tenable Latest Victims of Salesloft Drift Hack

Cybersecurity providers Tenable and Qualys are the latest in a growing list of companies affected by a significant supply chain attack targeting Salesforce customer data. The campaign involved the theft of OAuth authentication tokens connected to Salesloft Drift, a third-party application integrated with Salesforce used to automate workflows and manage leads and contact information.

On September 3, vulnerability assessment firm Tenable said that an unauthorized user gained access to a portion of some of its customers' information stored in the company's Salesforce instance. This data included subject lines and initial descriptions provided by customers when opening a Tenable support case as well as commonly available business contact information, such as names, business email addresses, phone numbers, and location references.

"At this time, we have no evidence that any of this information has been misused," the security provider noted. Tenable products and data within the Tenable product suite were unaffected. Three days later, risk management firm Qualys issued a similar alert, stating the credentials stolen during the campaign of OAuth token theft had allowed attackers "limited access to some Qualys Salesforce information."

Like Tenable, Qualys confirmed that its products and services were not affected and were still fully operational. Both firms said they disabled the Salesloft Drift application and revoked associated integrations with their systems and/or rotated integration credentials.

Tenable also hardened its Salesforce environment and other connected systems to reduce the likelihood of future exploitation. Qualys said it had worked to contain any potential unauthorized access. The risk management provider is also collaborating with Salesforce and with Google Cloud's Mandiant to investigate the incident.

The Salesloft Drift supply chain attack, also known as the "SalesDrift" hack, was first identified by the Google Threat Intelligence Group (GTIG), which shared its findings on August 26. Google itself was among the targets, as an attacker exploited stolen authentication tokens to infiltrate email accounts in a limited number of Google Workspace users on August 9.

Since then, a flurry of companies have confirmed they had been affected, including BeyondTrust, Bugcrowd, Cato Networks, Cloudflare, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Palo Alto Networks, Rubrik, SpyCloud, Tanium, and Zscaler. Okta revealed on September 2 that it had successfully blocked an attack attempt linked to the Salesloft Drift campaign.

The identity security firm stated that enhanced security controls put in place following previous breaches in 2022 and 2023 helped prevent the attack. These measures included restricting inbound IP access to Salesforce, which Okta said stopped the unauthorized access attempt before it could succeed.

Nudge Security has created a dashboard which tracks all companies affected by the 'SalesDrift' hack and includes the dates of the compromises and links to the security advisories.

Initial Salesloft Drift Compromise in March According to a September 7 update by Salesloft, hackers first breached the sales automation platform back in March. The attackers remained dormant while mapping out the company's internal systems before stealing OAuth tokens from Salesloft customers in June.

They then began leveraging those tokens to target customer networks starting in late August. In a later update, also published on September 7, Salesloft indicated that the integration between the Salesloft platform and Salesforce is now restored.