Qualys Confirms Salesforce Data Compromised in Salesloft-Drift Cyberattack

Qualys confirms limited exposure of Salesforce lead and contact records after attackers stole OAuth tokens from the Salesloft Drift marketing platform.

No core Qualys systems or customer data on its cloud platform were affected.

Qualys disclosed that it fell victim to a supply chain attack targeting Salesloft Drift, the third-party SaaS application it uses to automate sales workflows and manage marketing leads.

In early September 2025, malicious actors breached Salesloft Drift and successfully exfiltrated OAuth authentication tokens that linked the Drift application to Qualys’s Salesforce instance.

Using those tokens, attackers gained unauthorized, read-only access to a subset of Salesforce records.

Although the incident involved access to Qualys’s Salesforce environment, the company emphasized that the breach was contained to certain lead and contact details.

There was no impact on:

• Qualys’s production platforms—shared or private
• Its underlying code repositories
• Agents, scanners, or any cloud-hosted customer data
• Operational continuity, as all services remained fully functional

Upon detecting suspicious activity, Qualys immediately enacted its incident response plan.

The security team disabled all Drift integrations with Salesforce, severing the attackers’ remaining access pathways.

Simultaneously, Qualys engaged cybersecurity specialist Mandiant to conduct a thorough investigation into the scope and root cause of the compromise.

Mandiant is also supporting other organizations targeted in this widespread campaign against Salesloft Drift.

Several prominent technology companies have confirmed their own exposures resulting from this campaign:

Organization	Data Accessed
Palo Alto Networks	Business contact information, internal sales data
Zscaler	Customer names, contacts, support case content
Google	“Very small number” of Workspace accounts
Cloudflare	Customer data from Salesforce instance
PagerDuty	Some Salesforce-stored records
Tenable	Customer contact and support case information

Qualys reassured stakeholders that its core security infrastructure remained uncompromised.

The breach did not affect the Qualys Cloud Platform’s integrity or any customer-facing functionalities.

All agents and scanners continued to operate without interruption, ensuring no service degradation for its user base.

In its public statement, Qualys affirmed its commitment to transparency and ongoing remediation.

The company continues to monitor for any anomalous activity and is collaborating closely with Mandiant and industry partners to strengthen defenses against future supply chain threats.

Organizations using third-party SaaS integrations—particularly those that connect to critical systems like Salesforce—are urged to review their own OAuth token usage, enforce strict access controls, and conduct regular security assessments.

The Salesloft Drift supply chain incident serves as a stark reminder that vulnerabilities in partner ecosystems can directly impact even the most security-focused enterprises.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Qualys Confirms Salesforce Data Compromised in Salesloft-Drift Cyberattack appeared first on Cyber Security News.