Supply Chain Attack Exposes Salesforce Data

Google confirms over 200 client records compromised via Gainsight App, not direct platform flaw.

Google has officially confirmed that sensitive data belonging to over 200 corporate clients stored on the Salesforce platform has been compromised in a sophisticated cyber-attack.

The incident is being classified as a severe Supply Chain Hack. Attackers did not exploit a direct vulnerability within Salesforce but instead gained access through a third-party application provided by Gainsight, a customer relationship management platform vendor.

Austin Larsen, a Senior Threat Analyst at the Google Threat Intelligence Group, stated that Google detected anomalies and verified that more than 200 Salesforce instances were affected.

This confirmation follows a statement from Salesforce last Thursday, which acknowledged a data compromise involving some customers via the Gainsight application. Salesforce strongly maintained that the breach was not due to a defect in its platform.

 

 

Hackers Name Major Firms; Victims Push Back

The hacker group responsible, calling themselves "Scattered Lapsus$ Hunters" (which includes members of the notorious ShinyHunters cyber gang), publicly claimed responsibility and named several multinational organisations allegedly affected, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

 

 

 

However, several named companies have issued strong rebuttals:

 

CrowdStrike: A spokesperson firmly denied being affected, assuring that customer data remains "100% secure." "We are not affected by the Gainsight issue and all customer data remains secure," a CrowdStrike spokesperson stated. They did confirm, however, that an employee had been dismissed due to suspicious conduct, suggesting a possible insider threat connected to the incident. As the company said in its statement: "Our systems were never compromised and customers remained protected throughout."

 

Verizon: The company stated it was aware of the claims but had found no evidence to confirm any actual data leakage.

 

Docusign: The Chief Information Security Officer (CISO) reported that initial checks showed no signs of a breach, but the company has fully disconnected from Gainsight as a precaution.

 

 

 

Technique: Stolen Authentication Tokens

ShinyHunters informed TechCrunch that they breached Gainsight's system by exploiting the fallout from a previous attack targeting customers of Salesloft (a provider of the AI marketing platform, Drift).

 

The hackers stole 'Authentication Tokens' from Drift. These tokens effectively acted as digital keys, allowing them to access connected Salesforce instances and successfully extract data.

 

Gainsight has since confirmed it was a victim of an earlier attack, noting that the issue arose from an external application connection, not an internal Salesforce flaw.

 

Gainsight is now working with Mandiant, Google's incident response team, to conduct a comprehensive forensic investigation.

 

 

 

 

Salesforce Retaliates as Extortion Threat Rises

To mitigate damage, Salesforce has temporarily revoked the access tokens for applications connected to Gainsight and is currently notifying affected clients.

 

The situation is expected to escalate, as the Scattered Lapsus$ Hunters group has announced plans to launch a dedicated data shaming website next week.

 

This is a common tactic used by the group—known for their expertise in Social Engineering—to force victims into paying a ransom. The group has previously targeted global entities such as MGM Resorts, Coinbase, and DoorDash.