Google has confirmed a large-scale data breach affecting over 200 companies using Salesforce, resulting from a sophisticated supply chain attack. The incident, disclosed by Salesforce on Thursday, stems from compromised access via applications connected to the platform, specifically those provided by customer support company Gainsight. Security researchers are investigating the extent of the damage and potential exposure of sensitive customer data.
Significant Salesforce Data Breach Impacts Hundreds of Companies
The breach centers around data stolen through applications published by Gainsight, a customer success platform popular with businesses of all sizes. According to a statement from Austin Larsen, Principal Threat Analyst at Google’s Threat Intelligence Group, the company is currently aware of more than 200 potentially affected Salesforce instances. The notorious hacking group, Scattered Lapsus$ Hunters—which incorporates the activities of ShinyHunters—has claimed responsibility for the attack.
Scattered Lapsus$ Hunters publicly stated their involvement via a Telegram channel, and have specifically named several organizations as victims, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. The group is known for its aggressive tactics, combining social engineering with technical exploits to gain access to systems and data.
How the Breach Occurred: A Look at the Attack Chain
The hackers reportedly gained access through a previous campaign targeting customers of Salesloft, another platform offering AI-powered marketing tools. According to ShinyHunters representatives in an online chat with TechCrunch, they initially stole authentication tokens from Salesloft customers. These tokens allowed them to access linked Salesforce instances and exfiltrate data. Gainsight was confirmed as a victim of the initial Salesloft breach, leaving it as a potential entry point in this wider attack.
Salesforce maintains that the breach did not originate from a vulnerability within its own platform. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the company stated, distancing itself from the security failures of its customers’ integrated applications. However, the incident highlights the inherent risks of connecting third-party applications to sensitive data stores.
Company Responses and Investigations
Several companies named by the hacking group have issued statements. CrowdStrike spokesperson Kevin Benacci confirmed the company was not affected by the Gainsight issue and that customer data remained secure. They also disclosed the termination of a “suspicious insider” allegedly involved in passing information to the hackers. Verizon acknowledged the claim but stated it was unsubstantiated, while Malwarebytes confirmed it was actively investigating the matter.
Docusign stated that a log analysis had, so far, revealed no compromise of their data. Nevertheless, the company proactively terminated all Gainsight integrations and contained related data flows as a precautionary measure. A Thomson Reuters spokesperson indicated that the company is also actively investigating the situation. At the time of publication, several other companies mentioned by the group had not responded to requests for comment.
Gainsight has been providing updates on its incident page, and is now working with Google’s Mandiant unit to investigate. The company affirmed the breach originated from external connections to the Salesforce platform, not from a weakness within Salesforce itself. Forensic analysis is ongoing.
Extortion Threats and the Group’s Motives
Scattered Lapsus$ Hunters plans to launch a dedicated website next week to extort the victims of this campaign – a tactic previously employed following the Salesloft incident. This suggests a financially motivated operation, with the hackers seeking ransom payments in exchange for not publishing stolen data. This group is known to be a collective of several cybercriminal gangs, utilizing social engineering to infiltrate systems.
The group’s past targets have included major organizations like MGM Resorts, Coinbase, and DoorDash, demonstrating a pattern of targeting high-profile companies with valuable data. The incident underscores the growing threat of supply chain attacks, where hackers exploit vulnerabilities in third-party vendors to gain access to a larger network of targets. This incident is a stark reminder of the importance of robust data security measures, especially when integrating third-party applications.
The full scope of the impacted Salesforce data and the specific nature of the information stolen are still being determined. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precaution and is notifying affected customers. The larger ramifications for cloud security, and the need for stricter vendor risk management, are likely to be discussed in the coming weeks.
Looking ahead, the focus will be on the findings of the ongoing forensic investigations by Gainsight and Mandiant. Companies utilizing Gainsight and similar applications should review their security protocols and access controls to mitigate potential risks. The launch of the extortion website by Scattered Lapsus$ Hunters will also be a key event to monitor, as it may provide further details about the stolen data and the group’s demands.
