Hackers Stole Data From 200 Companies Following Salesforce-Gainsight Breach

More information on the Salesforce-Gainsight data breach has been revealed, with Google now confirming that hackers have stolen the Salesforce-stored data of more than 200 companies, as reported by TechCrunch. 

This appears to be a very different scenario from the one CSM Gainsight originally claimed, where only three orgs were said to have been affected. 

A Large-Scale, Supply Chain Hack

Last week, Salesforce released a security advisory informing customers that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” This activity may have enabled unauthorized access to certain customers’ Salesforce data through Gainsight, a customer service management software. 

Salesforce insists that, much like the breaches earlier this year, there is “no indication that this issue resulted from any vulnerability in the Salesforce platform”, and instead appears to be related specifically to the app’s external connection.

While a thorough investigation was being conducted on Gainsight’s side, Salesforce revoked all access and refresh tokens associated with Gainsight-published apps connected to it and temporarily removed those applications from the AppExchange.

At the end of last week, Gainsight announced on its community forum that Salesforce had detected API calls using the Gainsight Connected App originating from non-whitelisted IP addresses, and only three organizations were known to have been affected. 

More Than 200 Attacked Orgs 

New information now suggests that many more orgs than first anticipated have been targeted by this attack. 

Austin Larsen, the Principal Threat Analyst of Google Threat Intelligence Group, recently said in a statement that the company “is aware of more than 200 potentially affected Salesforce instances.”

Not only that, but a hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang known for a few of the previous Salesforce attacks, claimed responsibility for the hacks in a Telegram channel. 

According to TechCrunch, the hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Thomson Reuters, Verizon, and more.

In an online chat with the tech publication, the ShinyHunters group detailed that they gained access to Gainsight thanks to their previous hacking campaign that targeted customers of Salesloft. 

“Gainsight was a customer of Salesloft Drift; they were affected and therefore compromised entirely by us,” a spokesperson for the ShinyHunters group told TechCrunch.

ShinyHunters: “I Do Not Like Salesforce at All”

According to an exclusive from The Register, a member of ShinyHunters revealed that they gained access to Gainsight during the Salesloft Drift hack, stating that they have actually had access for three months. 

“The data from Salesloft Drift breached has enabled entry points into so many systems. Very lucrative systems,” a member of the cyber-gang claiming to be Shiny told The Register. “I do not like Salesforce at all. Would be nice if they stopped acting all high and mighty and just paid to fix this mess.”

In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by this week, similar to how a website was launched after the Salesloft breach. 

“The next DLS will contain the data of the Salesloft and GainSight campaigns,” a spokesperson of the group said. “Which is, in total, almost 1000 organizations. Only actual companies, mainly Fortune 500, will be listed, or things I feel would be worth it.” 

How Can I Keep Myself and My Org Safe?

As of the time of writing, no new guidance from Salesforce has been issued. The security advisory continues to say that the issue is ongoing, but there is now a help page detailing more information on the specific activities. 

“Moving forward, all new updates and resources to assist our customers will be shared via this help article,” Salesforce wrote. “Your security is our top priority, and we appreciate your understanding and cooperation during this time.”

Final Thoughts 

As more information on the Salesforce-Gainsight breach comes to light, we will be sure to report on it. At present, users should refer back to the help article for the most up-to-date information.

Have you been affected by this data breach? Reach out to us anonymously or not at tips@salesforceben.com.