Qualys has confirmed it was impacted by a widespread supply chain attack that targeted the Salesloft Drift marketing platform, resulting in unauthorized access to a portion of its Salesforce data.
The breach originated from a sophisticated cyberattack campaign targeting Salesloft Drift, a third-party Software-as-a-Service (SaaS) application used by Qualys to automate sales workflows and manage marketing leads.
According to the company, the attackers successfully stole OAuth authentication tokens that connected the Drift application to Qualys’s Salesforce instance. The malicious actors then used these tokens to gain unauthorized access.
Qualys specified that the access was limited to some information within its Salesforce environment, which is primarily used for managing leads and contact information.
The company confirmed in its statement that the attack did not compromise its foundational security infrastructure. There was no impact on the Qualys production environments, including its shared and private platforms, codebase, or any customer data hosted on the Qualys Cloud Platform. Furthermore, all Qualys platforms, agents, and scanners remained fully functional with no operational disruptions.
Upon becoming aware of the incident, Qualys immediately activated its incident response plan. The company’s security team took swift action to contain the threat by disabling all Drift integrations with its Salesforce data, effectively cutting off the attackers’ access.
To support its internal investigation efforts, Qualys has engaged the prominent cybersecurity firm Mandiant. Mandiant is reportedly assisting many of the other organizations that were also impacted by this widespread campaign against Salesloft Drift.
Confirmed victims of this supply chain attack include:
- Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
- Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
- Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.
- Cloudflare: Cloudflare has confirmed a data breach where a sophisticated threat actor accessed and stole customer data from the company’s Salesforce instance.
- PagerDuty has confirmed a security incident that resulted in unauthorized access to some of its data stored in Salesforce.
- Tenable has confirmed a data breach that exposed the contact details and support case information of some of its customers.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
