Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies and institutions in a large-scale supply chain hack.
Salesforce disclosed a breach of certain customers’ Salesforce data (without naming the affected companies) that was stolen through the use of the apps published by Gainsight, which was developed in order to provide a client support platform to other institutions.
According to TechCrunch, in an official statement, the principal threat analyst of Google Threat Intelligence Group said that the company is aware of more than 200 potentially affected Salesforce instances. In addition, after Salesforce announced the breach, the hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed overall responsibility for the hacks in a Telegram channel. The claimed responsibility was for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
The investigation processes of the affected companies
CrowdStrike’s spokesperson mentioned in a statement that the company was not affected by the Gainsight issue and all of its customer data remained secure, as it also confirmed that it terminated a suspicious insider for allegedly passing information to hackers.
Furthermore, TechCrunch reached out to all the companies mentioned by Scattered Lapsus$ Hunters: a Verizon spokesperson said in a statement that the institution is aware of the unsubstantiated claim by the threat actor, without providing any evidence for this claim, while Malwarebytes said that the company’s security team was aware of the Gainsight and Salesforce issues and was actively investigating the matter. In addition, Thomson Reuters said the company is actively investigating, while officials from Docusign told in a statement that following a comprehensive log analysis and internal investigation, it had no indication of any customer data being compromised, while the firm has taken a number of measures, including terminating all Gainsight integrations and containing related data flows.
At the same time, hackers with the ShinyHunters group told TechCrunch in an online chat that they gained general access to Gainsight through the use of their previous hacking campaign that targeted customers of Salesloft, which was developed in order to provide an AI and chatbot-powered marketing platform called Drift. In that earlier case, they had the possibility to steal Drift authentication tokens from those customers, break into their linked Salesforce instances, and download their contents. At the time, Gainsight confirmed it was among the victims of that hacking campaign.
Salesforce said there was no indication that this issue resulted from any vulnerability in the Salesforce platform, and it began the process of effectively distancing itself from its customers’ data breaches. Alongside this strategy, Gainsight also started publishing updates about the incident on its incident page, while on Friday, the company mentioned that started to work with Google’s incident response unit Mandiant to help investigate the breach. It was also said that the incident in question originated from the application's external connection and not from any kind of issue or vulnerability within the Salesforce platform. Furthermore, the firm mentioned that a forensic analysis is set to continue as part of a comprehensive and independent review.
Salesforce has also temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure, while their investigation process into unusual activity was expected to continue. In its Telegram channel, Scattered Lapsus$ Hunters mentioned that the group had further plans to launch a dedicated website to extort the victims of its latest campaign. This is the group’s modus operandi, as in October, the hackers also published a similar extortion website after stealing victims’ Salesforce data in the Salesloft incident.
