Google has admitted that hackers stole more than 200 companies' data stored in Salesforce in a massive supply chain hack.
Salesforce said Thursday that “Salesforce data for certain customers” had been compromised, although it did not name the affected companies. The data was stolen through an app published by Gainsight, which provides a customer support platform for other companies.
Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a statement that the company is “aware of over 200 Salesforce instances that may be affected.”
After Salesforce announced the breach, a notorious and somewhat obscure hacking group known as Scattered Lapsus$ Hunters (which also includes the ShinyHunters gang) claimed responsibility for the hack on its Telegram channel, which was witnessed by TechCrunch.
The hacker group claimed responsibility for hacks that affected Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Contact Us Want more information about the Salesforce and Gainsight data breach? Or any other data breach? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
Google will not comment on specific victims.
CrowdStrike spokesperson Kevin Benacci told TechCrunch in a statement that the company is “not affected by the Gainsight issue and all customer data remains secure.” CrowdStrike confirmed to TechCrunch that it fired a “suspicious insider” who allegedly passed information to the hackers.
TechCrunch reached out to all the companies mentioned by Scattered Lapsus$ Hunters. A Verizon spokesperson acknowledged receipt of our email.
Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company's security team is “aware” of the issue with Gainsight and Salesforce and is “actively investigating the issue.”
As of publication, the other companies had not responded to requests for comment.
Hackers from the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight thanks to a previous hacking campaign targeting customers of Salesloft, an AI and chatbot-powered marketing platform called Drift. In previous cases, hackers stole Drift authentication tokens from those customers, allowing them to compromise the linked Salesforce instance and download its content.
At the time, Gainsight acknowledged that it was one of the victims of its hacking campaign.
“Gainsight was a customer of Salesloft Drift, but they were affected and therefore fully compromised by us,” a ShinyHunters group spokesperson told TechCrunch.
“As a matter of policy, Salesforce does not comment on specific customer issues,” Salesforce spokesperson Nicole Aranda told TechCrunch.
Gainsight did not respond to TechCrunch's request for comment.
Salesforce on Thursday effectively distanced itself from the customer data breach, saying there is “no indication that this issue is due to a vulnerability in the Salesforce platform.”
Gainsight provides up-to-date information about incidents on our Incidents page. On Friday, the company announced that it is currently working with Mandiant, Google's incident response arm, to help investigate the breach, that the incident in question “resulted from the application's external connectivity, and not from any issues or vulnerabilities within the Salesforce platform,” and that “forensic analysis is ongoing as part of a comprehensive and independent review.”
“Salesforce has temporarily revoked active access tokens for Gainsight-connected applications as a precaution while the investigation into anomalous activity continues,” according to Gainsight's incident page, which said Salesforce is notifying affected customers whose data was stolen.
The Scattered Rapsusdor Hunters said on their Telegram channel that they plan to launch a dedicated website by next week to blackmail victims of the latest campaign. This is the group's modus operandi. In October, hackers released a similar extortion website after stealing victims' Salesforce data in the Salesloft scandal.
Scattered Lapsus$ Hunters is an English-speaking hacker collective comprised of several cybercriminal organizations, including ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering tactics to trick company employees into allowing hackers to access their systems and databases. Over the past few years, these groups have killed several high-profile victims, including MGM Resorts, Coinbase, and DoorDash.