Proofpoint, Tenable, CyberArk Impacted In Third-Party Salesforce Breach

The companies are among numerous cybersecurity vendors reporting that customer data stored in their Salesforce CRM instance was compromised, in connection with the breach of the Salesloft Drift application.

Three more well-known cybersecurity vendors have joined the lengthy list of companies impacted in the recent breach of a third-party Salesforce application, with Proofpoint, Tenable and CyberArk disclosing they were affected in the widespread Salesloft Drift attacks.

The companies posted advisories this week reporting that customer data stored in their Salesforce CRM instance was compromised, in connection with the breach of the Salesloft Drift application.

Other cybersecurity vendors that have disclosed being impacted by the cyberattacks have included Palo Alto Networks, Zscaler, Cloudflare, Tanium, Rubrik, Cato Networks and BeyondTrust.

The attacks have involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems. It’s unclear how threat actors obtained the tokens.

In a disclosure posted online Tuesday, Proofpoint said it was “notified by Salesforce of suspicious activity” related to the Salesloft Drift application.

Following an investigation, “current findings confirm that an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance,” the company said.

In a statement provided to CRN Friday, Proofpoint said that its investigation “confirmed that the threat actor accessed Salesforce ‘case’ objects, which in our environment contained limited contact information—specifically, a small number of customer employee names and business email addresses. No email messages, attachments or sensitive configuration data were stored or exposed.”

Proofpoint infrastructure and internal systems were not impacted by the incident, nor were any customer instances of Proofpoint’s services impacted, the company added.

In an advisory Wednesday, Tenable disclosed that it “was among the many organizations impacted” in the Salesloft Drift attacks, during which “an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance.”

Impacted data includes “subject lines and initial descriptions provided by our customers when opening a Tenable support case” as well as standard contact information such as name, business email address, phone number and location reference.

Tenable products, and data stored in the vendor’s products, were not affected, the company said. CRN has reached out to Tenable for further comment.

CyberArk, a publicly traded identity security vendor that Palo Alto Networks has a deal to acquire for $25 billion, confirmed Wednesday it was among the “hundreds of organizations” impacted in the Salesloft Drift attacks.

Data accessed in the attack might include business contact information as well as account metadata, conversation metadata and summary fields, the company said.

Other customer data such as support case information was not impacted, and CyberArk products and services were also not affected, the company said. CyberArk told CRN it has no further comment beyond the advisory.

The Salesloft Drift campaign was first disclosed by the Google Threat Intelligence Group on Aug. 26, which said it’s advising Salesloft Drift customers to “treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

The attacks—linked to a threat group tracked by Google threat researchers as UNC6395—are believed to have taken place between Aug. 8 and Aug. 18, according to the post.

Google itself has been among the victims, the company said, with a threat actor found to have used stolen tokens to “access email from a very small number of Google Workspace accounts” on Aug. 9.

One cybersecurity vendor, Okta, has reported thwarting an attempted attack involving Salesloft Drift.

The identity security vendor said Tuesday that security measures implemented after prior breaches in 2022 and 2023 helped to fend off the attackers. Those measures included enforcing inbound IP restrictions on Salesforce, “blocking the unauthorized attempt at the front door before any access could be gained,” Okta said in a post Tuesday.

“The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said.