In a stark reminder of the fragility of third-party integrations, cybersecurity heavyweights Qualys and Tenable have become the latest casualties in a sprawling supply chain attack dubbed SalesDrift. This breach, which exploits stolen OAuth tokens to access Salesforce data, has rippled through dozens of high-profile firms, exposing customer information and underscoring the hidden risks in automated sales tools. As the victim count climbs, including giants like Palo Alto Networks and Cloudflare, industry experts are calling for tighter controls on app ecosystems. Dive into the specifics of this evolving threat, its mechanics, and what it means for enterprise security in an interconnected world.
The Scope of the SalesDrift Campaign: Who’s Been Hit and What Was Exposed
The SalesDrift attack has ensnared a who’s who of tech and security companies, starting with an initial breach at Salesloft in March 2025. By June, attackers had pilfered OAuth tokens essentially digital access keys that allow seamless integration between apps like Salesloft’s Drift and Salesforce for lead management and workflow automation. These tokens granted limited but targeted entry to Salesforce environments, potentially compromising customer support data, contact details, and more.
Qualys and Tenable confirmed their involvement in early September 2025. For Tenable, the exposed data included subject lines and initial descriptions from support cases, along with basic business contacts such as names, emails, phone numbers, and location info. Qualys reported similar limited access but kept specifics under wraps, emphasizing that no customer data appeared to have been misused. Both firms stressed that their core products and services remained untouched and operational.
The victim roster extends far beyond: BeyondTrust, Bugcrowd, Cato Networks, Cloudflare, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Palo Alto Networks, Rubrik, SpyCloud, Tanium, Zscaler, and even Google have all reported impacts. Okta, however, thwarted an attempt on September 2, 2025, crediting enhanced IP restrictions on inbound Salesforce access. This growing list, tracked via a dashboard from Nudge Security, highlights how a single weak link in the supply chain can cascade into widespread vulnerabilities.
To put this in perspective, it’s reminiscent of the 2020 SolarWinds Orion breach, where attackers embedded malware in software updates to spy on thousands. Here, the focus on OAuth tokens adds a layer of stealth, as these are often overlooked in routine security audits compared to traditional credentials.
On X, @DailyTechpulse shed light on the attackers’ identity, posting: “Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks. Google tracked the threat actors as UNC6395. ShinyHunters claimed responsibility for the attack.” This revelation points to sophisticated groups blending state-like tactics with criminal motives. Follow @DailyTechpulse on X for daily updates on emerging tech threats.
Unpacking the Attack: Timeline and Tactics Employed
The assault began quietly in March 2025, with hackers infiltrating Salesloft’s systems and lying low to map out internals. By June, they escalated to stealing OAuth tokens from connected customers. Exploitation kicked off in late August, with the first notable hit on Google Workspace users on August 9. Google’s Threat Intelligence Group (GTIG) flagged the campaign on August 26, dubbing it SalesDrift due to its ties to Salesloft’s Drift app.
Attackers leveraged the tokens for unauthorized Salesforce access, focusing on data that could fuel further phishing or reconnaissance. Unlike brute-force hacks, this method relies on legitimate integrations gone wrong, making detection trickier. Mandiant, Google’s cybersecurity arm, linked the activity to threat group UNC6395, while notorious hackers ShinyHunters have claimed credit, adding credibility to the scale of the operation.
Comparisons to other incidents, such as the 2023 MOVEit supply chain breach that affected millions, show a pattern: attackers target middleware like file transfer tools or sales platforms for maximum reach. In SalesDrift’s case, the dormant phase allowed time to harvest tokens without immediate alarms, a tactic increasingly common in advanced persistent threats (APTs).
Echoing this, @SPSDigitalTech shared a video post: “Supply-Chain Alert: Cyber Giants Impacted by Salesloft Drift Hack. A supply-chain attack using vulnerabilities in Salesloft Drift led to data breaches at Palo Alto Networks, Zscaler, and PagerDuty, exposing Salesforce customer and support data via stolen OAuth tokens.” Their alert emphasizes the rapid spread across sectors. For more on practical AI and security intersections, follow @SPSDigitalTech on X.
For a deeper technical breakdown, check out this report from Bleeping Computer, which details Mandiant’s findings on UNC6395.
Company Responses: Containment and Mitigation Strategies
Affected organizations moved swiftly to contain the damage. Tenable issued an alert on September 3, 2025, disabling the Drift app, revoking integrations, rotating credentials, and fortifying their Salesforce setup. They reported no signs of data misuse. Qualys followed suit on September 6, collaborating with Salesforce and Mandiant while echoing that products were secure.
Salesloft itself provided an update on September 7, restoring Salesforce integrations after thorough checks. Broader actions include Salesforce temporarily halting all Salesloft connections, as noted in industry reports—a prudent step to stem the bleed.
These responses align with best practices: immediate isolation, credential resets, and forensic audits. In contrast to slower reactions in past breaches like Equifax in 2017, this quick pivot likely minimized fallout.
On X, @rajkarri8 commented on the severity: “It’s a cheap software for a reason. Salesforce Disables All Integrations With Salesloft: Drift Hack Is Worse Than Previously Thought.” This post links to a detailed analysis, highlighting underestimated risks. Follow @rajkarri8 on X for candid takes on tech cycles.
Additional insights can be found in Salesforce’s community discussions at Salesforce Ben.
Lessons Learned: Strengthening Supply Chain Defenses
This incident amplifies calls for rigorous vetting of third-party apps, including regular OAuth audits and zero-trust principles for integrations. With regulations like DORA in the EU pushing for resilience, firms must prioritize visibility into vendor security.
As the attack evolves, monitoring tools from firms like Nudge Security offer real-time tracking of such campaigns, helping preempt risks.
Frequently Asked Questions (FAQs)
What is the SalesDrift hack, and how does it work?
SalesDrift is a supply chain attack where hackers breached Salesloft in March 2025, stole OAuth tokens in June, and used them to access Salesforce data starting in late August, targeting customer info without affecting core services.
Which companies have been affected by the Salesloft Drift breach?
Victims include Qualys, Tenable, Palo Alto Networks, Zscaler, Cloudflare, PagerDuty, and many others like CyberArk and Nutanix, with Okta successfully blocking an attempt.
What data was potentially exposed in the attack?
Compromised info varies but includes support case details, business contacts (names, emails, phones), and location data; no widespread customer data misuse has been reported.
How can organizations protect against similar supply chain attacks?
Implement OAuth monitoring, disable unused integrations, enforce IP restrictions, and conduct regular vendor audits. Tools like multi-factor authentication for apps add extra layers.
Who is behind the SalesDrift campaign?
Google’s Mandiant attributes it to UNC6395, with ShinyHunters claiming responsibility, blending advanced tactics for data theft.
Conclusion
The Salesloft Drift attack on Qualys, Tenable, and others exposes the Achilles’ heel of third-party dependencies, urging a reevaluation of integration risks in 2025. By learning from these events, businesses can build more resilient defenses. For ongoing coverage of cybersecurity breaches, expert analyses, and proactive tips, make Techguideonline.com your first stop in the tech world.
