Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. On Thursday, Salesforce disclosed a breach of certain customers’ Salesforce data, which was stolen via apps published by Gainsight, a company that provides a customer support platform to other businesses. Salesforce did not name the affected companies.
In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company is aware of more than 200 potentially affected Salesforce instances.
After Salesforce announced the breach, the notorious hacking group known as Scattered Lapsus Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel. The hacking group claimed responsibility for hacks affecting a wide range of companies, including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Google would not comment on specific victims. CrowdStrike’s spokesperson Kevin Benacci stated that the company is not affected by the Gainsight issue and that all customer data remains secure. CrowdStrike also said it terminated a suspicious insider for allegedly passing information to hackers.
TechCrunch reached out to all the companies mentioned by Scattered Lapsus Hunters. A spokesperson for Verizon acknowledged receipt of the inquiry. Malwarebytes spokesperson Ashley Stewart said the company’s security team is aware of the Gainsight and Salesforce issues and is actively investigating the matter. At the time of publishing, none of the other companies had responded to requests for comment.
Hackers with the ShinyHunters group explained in an online chat that they gained access to Gainsight thanks to their previous hacking campaign that targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing them to break into the customers’ linked Salesforce instances and download their contents. Gainsight had previously confirmed it was among the victims of that hacking campaign. A ShinyHunters member stated that Gainsight was a customer of Salesloft Drift and was therefore compromised entirely by them.
Salesforce spokesperson Nicole Aranda told TechCrunch that as a matter of policy, Salesforce does not comment on specific customer issues. Gainsight did not respond to requests for comment.
On Thursday, Salesforce said there is no indication that this issue resulted from any vulnerability in the Salesforce platform, effectively distancing itself from its customers’ data breaches.
Gainsight has been publishing updates about the incident. On Friday, the company said it is now working with Google’s incident response unit Mandiant to help investigate the breach. Gainsight stated the incident originated from the applications’ external connection and not from any issue or vulnerability within the Salesforce platform. A forensic analysis is continuing as part of a comprehensive and independent review.
According to Gainsight’s incident page, Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues. The page also said Salesforce is notifying affected customers whose data was stolen.
In its Telegram channel, Scattered Lapsus Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is the group’s common method; in October, the hackers also published a similar extortion website after stealing victim data in the Salesloft incident.
The Scattered Lapsus Hunters is a collective of English-speaking hackers made up of several cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus. Members of these groups use social engineering tactics to trick company employees into granting them access to their systems or databases. In the last few years, these groups have claimed several high-profile victims, such as MGM Resorts, Coinbase, and DoorDash.