Qualys has announced that it fell victim to a far-reaching supply chain attack that compromised the Salesloft Drift marketing platform, leading to unauthorized access to segments of its Salesforce data.
This breach stemmed from an intricate cyberattack directed against Salesloft Drift, a third-party Software-as-a-Service (SaaS) tool leveraged by Qualys for the automation of sales workflows and the management of marketing leads.
The company reported that attackers successfully pilfered OAuth authentication tokens linking the Drift application to Qualys’s Salesforce environment, thereby enabling unauthorized access.
Qualys has clarified that this breach was confined to specific information within its Salesforce ecosystem, primarily concerning lead management and contact details.
In a formal statement, the company reassured stakeholders that its core security architecture remained uncompromised. There were no repercussions on Qualys’s production environments, including both shared and private platforms, codebase, or customer data housed on the Qualys Cloud Platform.
Notably, all operational platforms, agents, and scanners continued to function without interruption.
Upon detection of the incident, Qualys promptly enacted its incident response strategy. The security team swiftly acted to contain the threat by disabling all Drift integrations connected to Salesforce data, effectively severing the attackers’ access.
To enhance its internal investigation, Qualys has enlisted the expertise of renowned cybersecurity firm Mandiant, which is also aiding several other entities impacted by this extensive campaign against Salesloft Drift.
Among the confirmed victims of this supply chain attack are:
- Palo Alto Networks: This cybersecurity firm verified the compromise of business contact information and internal sales data stored within its CRM platform.
- Zscaler: The cloud security provider reported that sensitive customer information, including names, contact information, and portions of support case content, was accessed.
- Google: Aside from its investigative role, Google confirmed that a “very small number” of its Workspace accounts were accessed using the compromised tokens.
- Cloudflare: The company acknowledged a data breach where a sophisticated threat actor accessed and extracted customer data from its Salesforce instance.
- PagerDuty: This firm confirmed an incident resulting in unauthorized access to certain data within Salesforce.
- Tenable: The company revealed a data breach, exposing contact details and support case information for a subset of its customers.
Source link: Cybersecuritynews.com.
