Two leading cybersecurity firms, Tenable and Qualys, have confirmed exposure from the ongoing Salesloft Drift supply-chain incident that has already impacted Palo Alto Networks, Zscaler, and hundreds of global organizations. The breach, which stems from OAuth token theft linked to the Drift marketing application integrated with Salesforce, highlights the systemic risks posed by third-party SaaS tools.
Both companies have emphasized that core platforms, products, and customer data remain unaffected. Still, the incident underscores the growing attack surface introduced by cloud-based integrations and the need for stronger third-party risk management.
Tenable’s Response
According to Tenable, the attackers gained unauthorized access to portions of its Salesforce data through compromised Drift credentials.
Information accessed included:
- Customer support case subject lines and initial descriptions
- Common business contact details (names, email addresses, phone numbers, locations)
The company stated there is no evidence of misuse of this information so far. Importantly, Tenable confirmed that its products and the Tenable product suite were not impacted.
To contain the threat, Tenable has:
- Revoked and rotated all potentially compromised credentials
- Hardened its Salesforce and connected environments
- Disabled and removed the Drift app entirely
- Applied known indicators of compromise (IoCs)
- Strengthened continuous monitoring with SaaS Security Posture Management (SSPM)
Tenable reaffirmed its commitment to transparency and pledged ongoing updates as the investigation continues.
Qualys’ Response
Qualys also confirmed being impacted, but stressed that there was no effect on its production environments, codebase, or customer data hosted on the Qualys Cloud Platform, Agents, or Scanners.
The breach was confined to its Salesforce environment, with unauthorized actors obtaining limited access to Salesforce data via Drift tokens.
Actions taken by Qualys include:
- Disabling all Drift integrations with Salesforce
- Launching a detailed investigation in collaboration with Salesforce
- Engaging Mandiant for third-party forensic support
- Reinforcing controls to prevent recurrence
Qualys assured customers that its services remain fully operational and unaffected.
Broader Impact and Industry Concerns
This incident highlights the supply-chain risks of SaaS integrations, where attackers can bypass traditional security perimeters by targeting trusted third-party apps. As more organizations embed tools like Drift into CRM and sales workflows, the potential fallout from a single compromised vendor grows exponentially.
For enterprises across all regions – including the Middle East and Africa, where adoption of SaaS and Salesforce is accelerating – the attack is a reminder that supply-chain security is now a first-line business risk.
10 Recommended Actions for Security Teams
- Revoke and rotate all Drift-related OAuth tokens immediately.
- Audit Salesforce environments for unusual queries or exfiltration attempts.
- Disable unnecessary third-party integrations to minimize the attack surface.
- Apply least-privilege policies to all OAuth apps.
- Implement SaaS Security Posture Management (SSPM) for continuous monitoring.
- Use threat intelligence feeds to apply known IoCs.
- Enhance third-party risk assessments for SaaS vendors.
- Educate staff about phishing risks, especially after contact info exposure.
- Establish incident playbooks specific to SaaS and OAuth token compromises.
- Regularly review vendor contracts to ensure security obligations are enforceable.
Conclusion
While the Tenable and Qualys disclosures show that their products and core environments remain intact, the incident is a wake-up call for every enterprise relying on Salesforce and third-party integrations. As the scope of the Drift breach unfolds, security leaders must treat OAuth-based supply-chain compromises as a top priority for 2025 and beyond.
