Tenable Confirms Data Breach; Salesloft and Drift Compromise Contained, Salesforce Integration Restored
Published
- Tenable data breach: Tenable business contact information and data related to customer accounts and support cases have been exposed.
- How it started: Investigations revealed that attackers gained access to Salesloft's GitHub account in spring 2025.
- The objective: The threat actors’ purpose was a OAuth token breach to illicitly access customer data via the compromised Drift integrations.
A Tenable data breach exposed a segment of its customer data as part of a broader campaign that exploited a Salesforce integration vulnerability involving the Salesloft Drift marketing application. The Salesloft Drift compromise investigation has identified the root cause and scope of a sophisticated attack that targeted both the Drift and Salesloft environments.
The investigation led by Mandiant began on August 28, 2025, and concluded that the incident is contained, leading to the restoration of key platform integrations.
Tenable Incident Scope and Data Exposure
The Tenable breach originated from a third-party application integration within its Salesforce environment, which exposed a limited set of information stored on the platform, including commonly available business contact information such as customer names, business email addresses, and phone numbers.Â
Additionally, attackers accessed regional and location references tied to customer accounts, along with the subject lines and initial descriptions from support cases.Â
Tenable has stated there is no current evidence indicating active misuse of this information. The company emphasized that its core network and products, including customer data within those products, remain secure and were not affected by this incident.
Salesloft Drift Incident Timeline
The Mandiant investigation determined that threat actor activity began between March and June 2025. During this period, the attackers gained access to Salesloft's GitHub account, allowing them to download repository content, add a guest user, and establish malicious workflows.Â
Reconnaissance activities were noted across both the Salesloft and Drift application environments. Following this initial phase, the threat actor pivoted to Drift's AWS environment.Â
The primary objective was an OAuth token breach, where the actor successfully obtained OAuth tokens for Drift customers' technology integrations. These stolen tokens were then used to illicitly access customer data via the compromised Drift integrations.Â
Mandiant's analysis confirmed that while the Salesloft environment was subject to limited reconnaissance, there was no evidence of a deeper compromise.Â
The Salesloft Drift breach extended to other connected systems, with a wave of Salesforce-related breaches Google attributed to  Scattered Spider (UNC3944)  and ShinyHunters (UNC6040) impacting Palo Alto Networks, Cloudflare, Proofpoint, and more.
Salesloft Response and Remediation Efforts
Salesloft initiated a comprehensive response to contain and eradicate the threat. The Drift application infrastructure was isolated and taken offline, while all impacted credentials were rotated.Â
In the Salesloft environment, credentials were also rotated, and proactive threat hunting was performed, yielding no additional Indicators of Compromise (IOCs). The environment was rapidly hardened against the attacker's known methods.
Mandiant has verified the technical segmentation between the Salesloft and Drift infrastructures and offered recommendations for impacted organizations.Â
With the incident now contained, the Salesforce integration restored status has been confirmed. Customers can resume using the integrated capabilities, with Salesloft's Customer Success team managing data reconciliation to ensure a smooth transition.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular