#tenable

adj. Capable of being maintained in argument; rationally defensible.

adj. Capable of being held against assault; defensible.

adjective | ten·a·ble | \ˈte-nə-bəl\

Your friendly reminder to minimize the WordPress plugins you deploy to what you actually need. BleepingComputer has an article: A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. ACF Extended, currently active on 100,000 websites, is a…

Tenable — a leading vulnerability management provider — has confirmed a security incident exposing some customers’ contact details and support case information. While the breach did not compromise Tenable’s core products, the attack underscores an emerging and dangerous trend: supply-chain exploitation of SaaS integrations.

A Breach Born from SaaS Integration Risk

According to Tenable, the intrusion traces back to a coordinated campaign abusing the integration between Salesforce and Salesloft Drift, a widely adopted sales engagement platform. This campaign has already impacted multiple high-profile organizations — from cybersecurity vendors to global tech companies — demonstrating how attackers can weaponize trusted third-party connections inside major cloud ecosystems.

Tenable stated that an unauthorized actor gained access to a segment of customer data within its Salesforce instance. No Tenable platform or vulnerability management data was breached, but the exposure raises questions about how deeply embedded SaaS apps are protected inside enterprise CRM environments.

What Data Was Exposed

The compromised information was limited to non-sensitive customer and support data stored in Salesforce. Specifically:

• Business contact details — names, work emails, and phone numbers.

• Geographic references tied to customer accounts.

• Support case metadata — subject lines and initial descriptions submitted by customers.

Tenable emphasized that it has found no evidence of misuse of the exposed data to date. Still, given how attackers can weaponize even benign-looking business contact details for phishing or social engineering, the breach remains significant.

Part of a Larger Supply-Chain Attack

This incident is not isolated. Security researchers have linked it to a broader and sophisticated campaign exploiting the Salesforce–Salesloft Drift integration. By compromising OAuth tokens and abusing app permissions, threat actors have successfully exfiltrated CRM data from multiple enterprises.

High-profile victims of this campaign include:

• Palo Alto Networks – Exposure of internal sales and contact information.

• Zscaler – Customer names, contact details, and some support content accessed.

• Google – A “very small number” of Workspace accounts impacted via compromised tokens.

• Cloudflare – CRM data stolen from its Salesforce instance.

• PagerDuty – Unauthorized access to Salesforce data confirmed.

This coordinated activity mirrors previous supply-chain incidents — such as SolarWinds or Okta’s support breach — but focuses on SaaS integrations and identity delegation rather than software updates or network appliances.

Tenable’s Response

Upon discovering the intrusion, Tenable moved quickly to contain and mitigate:

• Credential rotation — All Salesforce, Drift, and related integration credentials were revoked and re-issued.

• App removal — The Salesloft Drift application and all related integrations were disabled and removed from Tenable’s Salesforce environment.

• Environment hardening — New security controls were deployed across Salesforce and connected systems.

• IoC deployment — Tenable applied indicators of compromise from Salesforce and other threat intelligence partners to block further malicious activity.

• Ongoing monitoring — Continuous surveillance of Salesforce and other SaaS systems to detect anomalies.

The company has also advised customers to review Salesforce’s recommended security hardening steps and ensure they’re not exposed through the same integration.

Key Takeaways for Security Teams

This breach highlights several critical lessons for organizations relying on SaaS platforms:

1. Third-party apps inside SaaS ecosystems are part of your attack surface. Treat Salesforce integrations the same way you’d treat on-prem software vendors.

2. Least privilege applies to apps, not just users. Periodically audit OAuth scopes and API tokens.

3. Proactive threat hunting is essential. Don’t wait for indicators from vendors; set up your own anomaly detection on SaaS platforms.

4. Supply-chain compromise is now identity-driven. Even without breaching core infrastructure, attackers can siphon valuable data from trusted integrations.

The Bottom Line

Tenable found a critical flaw in Oracle Cloud’s Code Editor that allowed attackers to push malicious files into a user’s session with a single click. If exploited, it could let hackers run code and spread across services silently.

Source: Tenable