Tenable, a vulnerability assessment firm, was impacted by the **SalesDrift supply chain attack** targeting Salesforce customer data. An unauthorized user exploited stolen **OAuth authentication tokens** linked to the **Salesloft Drift** third-party application (integrated with Salesforce) to gain access to a portion of Tenable’s **Salesforce instance**.The compromised data included **customer support case details** (subject lines, initial descriptions) and **business contact information** (names, email addresses, phone numbers, and location references). While Tenable confirmed **no misuse of the stolen data** and stated its **products and internal systems remained unaffected**, the breach exposed sensitive customer interaction records and corporate contact details.Tenable responded by **disabling Salesloft Drift**, revoking integrations, rotating credentials, and hardening its Salesforce environment. The incident highlights risks in **third-party supply chain vulnerabilities**, where attackers leverage trusted vendor access to infiltrate enterprise systems. Though no direct financial or operational harm was reported, the exposure of **customer support metadata and business contacts** poses reputational and phishing risks.
Source: https://www.infosecurity-magazine.com/news/qualys-tenable-salesloft-drift-hack/
TPRM report: https://www.rankiteo.com/company/tenableinc
"id": "ten3532135090825",
"linkid": "tenableinc",
"type": "Breach",
"date": "9/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Portion of customers with data '
'in Salesforce',
'industry': 'Cybersecurity',
'name': 'Tenable',
'type': 'Cybersecurity Firm (Vulnerability '
'Assessment)'},
{'industry': 'Cybersecurity',
'name': 'Qualys',
'type': 'Cybersecurity Firm (Risk Management)'},
{'customers_affected': 'Limited number of Google '
'Workspace users',
'industry': 'Technology',
'name': 'Google',
'type': 'Technology Company'},
{'industry': 'Cybersecurity',
'name': 'BeyondTrust',
'type': 'Cybersecurity Firm'},
{'industry': 'Cybersecurity',
'name': 'Bugcrowd',
'type': 'Cybersecurity Firm (Crowdsourced Security)'},
{'industry': 'Cybersecurity',
'name': 'Cato Networks',
'type': 'Cybersecurity Firm (Network Security)'},
{'industry': 'Cybersecurity',
'name': 'Cloudflare',
'type': 'Cybersecurity Firm (Web Infrastructure)'},
{'industry': 'Cybersecurity',
'name': 'CyberArk',
'type': 'Cybersecurity Firm (Privileged Access '
'Management)'},
{'industry': 'Cybersecurity',
'name': 'Elastic',
'type': 'Cybersecurity Firm (Search and Analytics)'},
{'industry': 'Cybersecurity',
'name': 'JFrog',
'type': 'Cybersecurity Firm (DevOps Security)'},
{'industry': 'Technology',
'name': 'Nutanix',
'type': 'Cloud Computing Firm'},
{'industry': 'Cybersecurity',
'name': 'PagerDuty',
'type': 'Incident Response Firm'},
{'industry': 'Cybersecurity',
'name': 'Palo Alto Networks',
'type': 'Cybersecurity Firm'},
{'industry': 'Cybersecurity',
'name': 'Rubrik',
'type': 'Cybersecurity Firm (Data Protection)'},
{'industry': 'Cybersecurity',
'name': 'SpyCloud',
'type': 'Cybersecurity Firm (Identity Protection)'},
{'industry': 'Cybersecurity',
'name': 'Tanium',
'type': 'Cybersecurity Firm (Endpoint Management)'},
{'industry': 'Cybersecurity',
'name': 'Zscaler',
'type': 'Cybersecurity Firm (Cloud Security)'},
{'customers_affected': 'Attack Attempt Blocked (No '
'Compromise)',
'industry': 'Cybersecurity',
'name': 'Okta',
'type': 'Cybersecurity Firm (Identity Management)'},
{'customers_affected': 'Multiple (OAuth Tokens Stolen '
'in June 2024)',
'industry': 'Technology',
'name': 'Salesloft',
'type': 'Sales Automation Platform'}],
'attack_vector': ['Stolen OAuth Tokens',
'Third-Party Application Compromise (Salesloft Drift)',
'Dormant Persistence'],
'customer_advisories': ['Tenable and Qualys Notified Affected Customers',
'No Evidence of Misuse Reported'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Business Email '
'Addresses',
'Phone Numbers',
'Location References'],
'sensitivity_of_data': 'Low to Moderate (No Highly Sensitive '
'PII or Financial Data)',
'type_of_data_compromised': ['Business Contact Information',
'Support Case Metadata']},
'date_detected': '2024-08-26',
'date_publicly_disclosed': '2024-09-03',
'description': 'A supply chain attack targeting Salesforce customer data '
'involved the theft of OAuth authentication tokens connected '
'to Salesloft Drift, a third-party application integrated with '
'Salesforce. Attackers gained unauthorized access to customer '
'information stored in Salesforce instances of multiple '
'companies, including Tenable and Qualys. The breach exposed '
'business contact information and support case details, though '
'no evidence of misuse was found. The attack was first '
'identified by Google Threat Intelligence Group (GTIG) in '
'August 2024, with initial compromise dating back to March '
'2024. Multiple cybersecurity firms were affected, and '
'responses included disabling Salesloft Drift, revoking '
'integrations, and collaborating with Salesforce and Mandiant '
'for investigations.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust Due to '
'Supply Chain Vulnerability'],
'data_compromised': ['Business Contact Information (names, emails, '
'phone numbers, locations)',
'Support Case Subject Lines and Initial '
'Descriptions'],
'identity_theft_risk': ['Low (no PII misuse reported)'],
'operational_impact': ['Temporary Disruption of Salesloft Drift '
'Integration',
'Investigation and Remediation Efforts'],
'systems_affected': ['Salesforce Instances',
'Salesloft Drift Integration']},
'initial_access_broker': {'entry_point': 'Salesloft Drift (Compromised in '
'March 2024)',
'high_value_targets': ['Salesforce Customer Data',
'OAuth Tokens'],
'reconnaissance_period': 'March 2024 to June 2024 '
'(Mapping Internal '
'Systems)'},
'investigation_status': 'Ongoing (Collaboration with Salesforce and Mandiant)',
'lessons_learned': ['OAuth token security requires stricter monitoring and '
'rotation policies.',
'Third-party integrations pose significant supply chain '
'risks and must be continuously audited.',
'Dormant threats can persist for months (initial '
'compromise in March, exploitation in August).',
'Proactive measures like IP restrictions (Okta) can '
'prevent unauthorized access.'],
'motivation': ['Data Exfiltration',
'Potential Espionage or Financial Gain (unconfirmed)'],
'post_incident_analysis': {'corrective_actions': ['Disabled Vulnerable '
'Integrations (Salesloft '
'Drift)',
'Hardened Salesforce '
'Environments (e.g., '
'Tenable)',
'Enhanced Monitoring for '
'Anomalous OAuth Token '
'Usage',
'Restored '
'Salesloft-Salesforce '
'Integration with Improved '
'Security Controls'],
'root_causes': ['Insufficient Protection of OAuth '
'Tokens in Salesloft Drift',
'Delayed Detection of Initial '
'Compromise (March to August 2024)',
'Lack of Segmentation Between '
'Third-Party App and Salesforce '
'Data']},
'recommendations': ['Implement multi-layered authentication for third-party '
'integrations.',
'Enforce least-privilege access for OAuth tokens and '
'revoke unused credentials.',
'Monitor for anomalous activity in integrated '
'applications, especially after dormant periods.',
'Adopt zero-trust principles for Salesforce and similar '
'cloud platforms.',
'Collaborate with vendors (e.g., Salesforce) to share '
'threat intelligence and hardening guidelines.'],
'references': [{'date_accessed': '2024-09-03',
'source': 'Tenable Security Alert'},
{'date_accessed': '2024-09-06',
'source': 'Qualys Security Alert'},
{'date_accessed': '2024-08-26',
'source': 'Google Threat Intelligence Group (GTIG) Findings'},
{'date_accessed': '2024-09-07',
'source': 'Salesloft Update on Compromise Timeline'},
{'source': 'Nudge Security Dashboard (Tracking Affected '
'Companies)'},
{'date_accessed': '2024-09-02',
'source': 'Okta Statement on Blocked Attack Attempt'}],
'response': {'communication_strategy': ['Public Security Alerts (Tenable: '
'2024-09-03, Qualys: 2024-09-06)',
'Nudge Security Dashboard Tracking '
'Affected Companies'],
'containment_measures': ['Disabled Salesloft Drift Application',
'Revoked Associated Integrations',
'Rotated Integration Credentials'],
'enhanced_monitoring': ['Okta: Restricted Inbound IP Access to '
'Salesforce'],
'incident_response_plan_activated': True,
'recovery_measures': ['Restored Salesloft-Salesforce Integration '
'(as of 2024-09-07)'],
'remediation_measures': ['Hardened Salesforce Environment '
'(Tenable)',
'Collaborated with Salesforce and '
'Mandiant (Qualys)'],
'third_party_assistance': ['Salesforce',
'Google Cloud’s Mandiant']},
'stakeholder_advisories': ['Public Disclosures by Affected Companies',
'Nudge Security Dashboard'],
'title': 'SalesDrift Supply Chain Attack Targeting Salesforce Customer Data '
'via OAuth Token Theft',
'type': ['Supply Chain Attack', 'OAuth Token Theft', 'Unauthorized Access'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Lateral Movement via Stolen Credentials']}