Google has confirmed a massive supply chain breach in which hackers stole data from over 200 companies, a large portion of which was stored by Salesforce. According to Austin Larsen, a principal threat analyst at Google Threat Intelligence Group, the scale of the breach was significant. Salesforce has stated that the attack was enabled through third-party applications published by Gainsight.
The hacking collective “Scattered Lapsus$ Hunters,” which includes the infamous ShinyHunters gang, claimed responsibility on Telegram. They listed high-profile targets including Atlassian, CrowdStrike, DocuSign, LinkedIn, and Verizon.
However, several companies have pushed back despite the hackers’ claims. CrowdStrike stated that it remains unaffected, though it revealed that it had terminated a “suspicious insider.” DocuSign reported no current indication of data compromise but terminated Gainsight integrations out of an abundance of caution. Moreover, Verizon dismissed the claims as “unsubstantiated.”
Gainsight has confirmed that it was a victim of an earlier security campaign targeting the Drift platform of Salesloft. The ShinyHunters hacking group informed TechCrunch that they manipulated this initial breach to compromise Gainsight. Specifically, they stole authentication tokens, which allowed them to redirect to linked Salesforce instances and subsequently download content.
Salesforce maintains that this incident did not result from a vulnerability within its own platform but has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure. Currently, Gainsight is working with Google’s incident response unit, Mandiant, to conduct a forensic analysis.
Additionally, the hackers have announced plans to launch a dedicated website next week to extort the victims of this campaign. This aligns with the group’s history of utilizing social engineering to target major corporations such as MGM Resorts and Coinbase.