In a significant cybersecurity development, Google has officially confirmed a massive supply chain attack that enabled hackers to steal sensitive data from Salesforce systems belonging to more than 200 companies worldwide. The breach occurred through applications published by Gainsight, a prominent customer support platform provider, raising serious concerns about third-party security risks in the digital ecosystem.
How the Supply Chain Attack Unfolded
The cyber intrusion began when hackers gained unauthorized access to Salesforce instances through compromised Gainsight applications. Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, revealed that his team has identified "more than 200 potentially affected Salesforce instances" in what appears to be a carefully orchestrated campaign. The tech giant's confirmation came after Salesforce initially disclosed a breach affecting "certain customers' Salesforce data" without naming the impacted organizations.
According to detailed reports from TechCrunch, the notorious cybercrime collective known as Scattered Lapsus$ Hunters has claimed responsibility for these breaches. This dangerous group includes members from the infamous ShinyHunters gang and has previously targeted major corporations including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, and Verizon.
Company Responses and Security Measures
Several potentially affected companies have issued statements regarding the security incident. CrowdStrike spokesperson Kevin Benacci clarified that while their company remains unaffected by the Gainsight issue and customer data remains secure, they did dismiss a "suspicious insider" who allegedly shared information with hackers. This highlights the complex nature of modern cyber threats that combine external attacks with internal vulnerabilities.
Verizon spokesperson Kevin Israel acknowledged awareness of "the unsubstantiated claim by the threat actor" but provided no additional evidence. Meanwhile, Malwarebytes confirmed through spokesperson Ashley Stewart that their security team is "aware" of the Gainsight and Salesforce issues and is "actively investigating the matter."
Michael Adams, chief information security officer at DocuSign, provided more detailed reassurance, stating that through "comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time." However, exercising caution, the company has "terminated all Gainsight integrations and contained related data flows."
The Attack Methodology and Investigation
The hackers employed a sophisticated approach, initially targeting customers of Salesloft, which offers an AI- and chatbot-based marketing tool called Drift. In discussions with TechCrunch, ShinyHunters representatives explained they stole Drift authentication tokens from affected customers, which then allowed them to access linked Salesforce systems and download valuable corporate data.
"Gainsight was a customer of Salesloft Drift; they were affected and therefore compromised entirely by us," a spokesperson for ShinyHunters revealed. Gainsight has acknowledged being among the victims of this hacking campaign but has refrained from detailed comments on the matter.
Salesforce has maintained its corporate stance, with spokesperson Nicole Aranda stating that "as a matter of policy, Salesforce does not comment on specific customer issues." The company has been careful to distance its platform from responsibility, emphasizing there is "no indication that this issue resulted from any vulnerability in the Salesforce platform."
Gainsight has engaged Google-owned incident response firm Mandiant to conduct a comprehensive investigation into the breach. The company continues to post updates on its status page, noting that the incident "originated from the applications' external connection and not from any issue or vulnerability within the Salesforce platform." As a precautionary measure, Salesforce has temporarily revoked active access tokens for Gainsight-connected apps while their investigation into unusual activity continues.
Ongoing Threats and Future Risks
The Scattered Lapsus$ Hunters group has announced plans to launch a dedicated website next week to extort victims of their latest campaign, following their established pattern of operations. In October, the cybercrime collective created a similar site after stealing Salesforce data during the Salesloft incident, indicating a consistent strategy of data theft followed by extortion attempts.
This English-speaking hacker collective, composed of members from ShinyHunters, Scattered Spider, and Lapsus$, relies heavily on social engineering tactics to persuade company employees to provide access to internal systems or databases. Their track record includes claimed responsibility for breaches affecting several major corporations, including MGM Resorts, Coinbase, and DoorDash, establishing them as a persistent threat in the cybersecurity landscape.
As the investigation continues, Gainsight has confirmed that Salesforce is directly notifying customers whose data was compromised in this sophisticated supply chain attack. The incident serves as a stark reminder of the vulnerabilities inherent in interconnected digital ecosystems and the critical importance of robust third-party security protocols.
