Google has confirmed that a large-scale supply chain attack resulted in hackers stealing data stored in Salesforce systems belonging to more than 200 companies. The stolen data was accessed via apps published by Gainsight, a customer support platform provider. Salesforce initially disclosed the breach of “certain customers’ Salesforce data”, without naming the affected companies. Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.”According to a TechCrunch report, the cybercrime group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the breaches via a Telegram channel after the announcement. The group also claimed responsibility for hacks affecting companies including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Verizon and more. However, Google didn’t specifically name the companies affected by the hacking campaign.
What companies that may be affected by the hacking campaign said
In a statement to TechCrunch, CrowdStrike spokesperson Kevin Benacci noted that the company is “not affected by the Gainsight issue and all customer data remains secure.” However, CrowdStrike confirmed that it dismissed a “suspicious insider” who allegedly shared information with hackers.Verizon spokesperson Kevin Israel said that the company “is aware of the unsubstantiated claim by the threat actor,” but did not provide evidence to support the claim.Malwarebytes spokesperson Ashley Stewart added that the company’s security team is “aware” of the Gainsight and Salesforce issues and is “actively investigating the matter.”Meanwhile, Michael Adams, chief information security officer at DocuSign, highlighted that through “comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time.” Adams also noted that “out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows.”In an online chat with TechCrunch, hackers from the ShinyHunters cybercriminal group said they gained access to Gainsight through an earlier hacking campaign targeting customers of Salesloft, which offers an AI- and chatbot-based marketing tool called Drift. In that campaign, the hackers stole Drift authentication tokens from affected customers, allowing them to access linked Salesforce systems and download their data.“Gainsight was a customer of Salesloft Drift; they were affected and therefore compromised entirely by us,” a spokesperson for ShinyHunters said. Gainsight confirmed that it was one of the victims of the hacking campaign, but didn’t comment on the same.Salesforce spokesperson Nicole Aranda said that “as a matter of policy, Salesforce does not comment on specific customer issues.”Salesforce also said there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” distancing the company from the breaches involving its customers.Gainsight has continued to post updates on its status page about the incident. Recently, the company said it is working with Google-owned incident response firm Mandiant to investigate the breach. It added that the incident “originated from the applications’ external connection and not from any issue or vulnerability within the Salesforce platform,” and that “a forensic analysis is continuing as part of a comprehensive and independent review.”According to Gainsight’s incident page, “Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues,” and Salesforce is notifying customers whose data was taken.In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a website next week to extort victims of its latest campaign. This follows the group’s usual pattern. In October, the cybercrime group created a similar site after stealing Salesforce data during the Salesloft incident.Scattered Lapsus$ Hunters is a group of English-speaking hackers made up of members from ShinyHunters, Scattered Spider, and Lapsus$. They rely heavily on social engineering to persuade company employees to give them access to internal systems or databases. In recent years, they have claimed responsibility for breaches affecting several major companies, including MGM Resorts, Coinbase, DoorDash and others.
About the Author
