Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google has confirmed that hackers have stolen data stored in Salesforce for more than 200 companies in a massive supply chain breach.
Thursday, Salesforce disclosed that a breach had occurred Of “Salesforce data for specific customers” – without naming the affected companies – was stolen via applications published by Gainsight, which provides a customer support platform for other companies.
In a statement, Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said the company is “aware of more than 200 potentially affected instances of Salesforce.”
After Salesforce announced the hack, the notorious and somewhat mysterious hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in the Telegram channel, as seen by TechCrunch.
The hacking group claimed responsibility for the breaches that affected Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Contact us
Do you have more information about Salesforce and Gainsight data breaches? Or other data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or Email. You can also contact TechCrunch via SecureDrop.
Google will not comment on specific victims.
CrowdStrike spokesperson Kevin Pennacci told TechCrunch in a statement that the company “is not affected by the Gainsight issue and that all customer data remains secure.” CrowdStrike said it terminated a “suspicious insider” for allegedly passing information to hackers.
TechCrunch reached out to all of the companies mentioned by Scattered Lapsus$ Hunters. A Verizon spokesperson acknowledged receipt of our email.
Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company’s security team is “aware” of the Gainsight and Salesforce issues and “are actively investigating the matter.”
At press time, none of the other companies responded to requests for comment.
Hackers from the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight, thanks to… Previous hacking campaign It targeted customers of Salesloft, which offers an AI-powered marketing platform and chatbots called Drift. In that previous case, hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their associated Salesforce instances and download their contents.
At that time, Gainsight certain He was among the victims of that hacking campaign.
“Gainsight was a customer of Salesloft Drift, and they were affected and thus fully compromised by us,” ShinyHunters said.
Salesforce spokeswoman Nicole Aranda told TechCrunch that “as a matter of policy, Salesforce does not comment on specific customer issues.”
Gainsight did not respond to TechCrunch’s requests for comment.
On Thursday, Salesforce He said “There is no indication that this issue was caused by any vulnerability in the Salesforce platform,” effectively distancing itself from its customers’ data breaches.
Gainsight has posted updates about the incident On the incident page. The company said on Friday that it is now working with Google’s Mandiant Incident Response Unit to help investigate the breach, that the incident in question “originated from external communication of the applications — not from any issue or vulnerability within the Salesforce platform,” and that “forensic analysis is ongoing as part of a comprehensive, independent review.”
“Salesforce has temporarily revoked active access tokens for applications associated with Gainsight as a precaution while the investigation into unusual activity continues,” according to Gainsight’s incident page, which said Salesforce is notifying affected customers whose data was stolen.
Scattered Lapsus$ Hunters said on its Telegram channel that it plans to launch a website dedicated to extorting victims of its latest campaign by next week. This is the group’s method of work; In October, The hackers also posted a similar extortion site After the victim’s Salesforce data was stolen in the Salesloft incident.
The Scattered Lapsus$ Hunters are an English-speaking hacker group that consists of several cybercrime gangs, including ShinyHunters, Scattered spiderand He fallswhich is used by its members Social engineering tactics To trick company employees into giving hackers access to their systems or databases. In the past few years, these groups have claimed Many high-profile victimslike MGM Resorts, Coinbase, DoorDashAnd more.