Salesforce Confirms Customer Data Theft After Gainsight Compromise

Google has confirmed that in a major supply-chain attack, hackers stole data from more than 200 companies stored in Salesforce through Gainsight. On Thursday, Salesforce acknowledged that data from several of its customers had been compromised, though it did not disclose how many organizations were affected. The data theft occurred through apps published by Gainsight, according to a TechCrunch report.

Austin Larsen, lead analyst at Google’s Threat Intelligence Group, said that over 200 Salesforce instances may have been compromised. Following this, the notorious hacking group Scattered Lapsus Hunters—which is associated with ShinyHunters—claimed responsibility on Telegram for breaching multiple tech companies. They alleged data theft from Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

CrowdStrike stated that it was not affected and has fired a “suspicious insider.” Verizon and Malwarebytes said they are investigating the matter. DocuSign reported that there is no evidence its data has been compromised but disabled all Gainsight integrations as a precaution.

ShinyHunters claimed they previously infiltrated Gainsight by stealing tokens from Salesloft–Drift customers. Gainsight later confirmed that it, too, had been affected by that earlier attack.

Salesforce said that this incident is not related to any vulnerability in its own platform. Gainsight stated that the breach originated from external connections to their application. An investigation is ongoing with support from the Mandiant team, and Salesforce has revoked all Gainsight app tokens as a precaution.

The hacker group has stated that it will soon launch a new website to extort affected organizations.

DBTech/BMT/OR