Salesforce announced on Wednesday that it is investigating a breach of certain customers’ data. This data was compromised through applications published by Gainsight, a company that provides a platform for other businesses to manage their customer relationships.
In a notice, Salesforce clarified that the hacks involve Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. The company stated there is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to Gainsight’s external connection to Salesforce.
A Salesforce spokesperson referred inquiries to the company’s official incident page. As of the reporting, Gainsight said on its own status page that it is investigating a Salesforce connection issue, without directly referencing a potential breach. Gainsight wrote that its internal investigation is ongoing. A spokesperson for Gainsight did not immediately respond to a request for comment.
Gainsight lists several corporate customers on its website, including Airtable, Notion, and GitLab. A GitLab spokesperson stated that its security team is investigating and would provide more information when available.
The prolific hacking group ShinyHunters told a cybersecurity news website that it was behind the breach. The group stated that if Salesforce does not negotiate, it will create a new website to advertise the stolen data, a common extortion tactic. The hackers claim to have stolen data from close to a thousand companies. They said the next data leak site will contain the data of the Salesloft and Gainsight campaigns.
This data breach appears similar to a breach in August at AI marketing chatbot maker Salesloft. That breach allowed hackers to break into a number of its customers’ connected Salesforce instances to steal sensitive data, including access tokens for other services. Victims of the Salesloft breach included insurance giant Allianz Life, Bugcrowd, Cloudflare, Google, fashion conglomerate Kering, Proofpoint, the airline Qantas, carmaker Stellantis, credit bureau TransUnion, the employee management platform Workday, and others.
In the case of the Salesloft breaches, the hacking group Scattered Lapsus$Hunters, which apparently includes the ShinyHunters gang, claimed responsibility. Last month, the hackers launched a dedicated website to extort the victims of the breaches, where they threatened to release a billion records. At that time, Gainsight confirmed it was among the victims of the Salesloft-linked breaches. It is unclear if this new wave of hacks originated from its earlier compromise.