Hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain attack, Google has confirmed. Salesforce on Thursday disclosed breaches affecting “certain customers’ Salesforce data” — but not any of the affected companies by name — that was stolen through apps from Gainsight, which offers a platform for customer support to other firms.
Google “believes that more than 200 potentially affected Salesforce instances have been connected to over the last year,” Austin Larsen, a principal threat analyst of Google Threat Intelligence Group, said in a statement.
After Salesforce disclosed the breach, a well-known and somewhat mysterious hacking group called Scattered Lapsus$ Hunters — which counts the ShinyHunters gang among its members — took credit for two of the breaches in a Telegram channel that TechCrunch has seen.
The hacking group had also taken credit for the hacks targeting Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Google declined to discuss particular casualties. CrowdStrike’s vice president of communications, Kevin Benacci, told TechCrunch that “we are not impacted by the Gainsight issue and all customer data continues to be safe,” adding that CrowdStrike, which went public last year, has fired an “overly suspicious” employee who allegedly passed information to hackers.
The TechDetour contacted each of the companies that Scattered Lapsus$ Hunters named as victims. “All customers have received, and continue to receive, the full level of service quality and network performance that was contracted under their existing agreements with Verizon,” said Verizon spokesman Kevin Israel in a statement that did not offer evidence for this claim.
Security team at Malwarebytes “is aware of the Gainsight and Salesforce issues, and we are actively investigating the matter,” company spokesperson Ashley Stewart said.
A Thomson Reuters spokeswoman said the company is “actively investigating.”
“We understand in situations like this, there can be a natural fear of the unknown, and we’ve been taking you through our analysis of the information we have available to us,” Michael Adams, the chief information security officer from DocuSign, told TechCrunch in a statement. But, Adams added that, “out of an abundance of caution, we’ve taken several measures, including terminating all Gainsight CyberAttack integrations and containment-related data flows.”
None of the other companies responded to requests for comment at the time of publication. Hackers in the ShinyHunters group said in an online chat with TechCrunch that they obtained access to Gainsight through their recent hacking campaign against customers of Salesloft, maker of Drift, an AI and chatbot-based marketing product.
In the previous incident, the hackers pilfered Drift’s authentication tokens belonging to those customers, which then enabled them to hack into these users’ associated Salesforce accounts and copy over their contents. At the time, Gainsight acknowledged it was one of the victims of that hacking campaign.
“Gainsight was also a customer of Salesloft Drift, and they were impacted by us, thus we fully compromised them,” said a spokesman of the ShinyHunters group when contacted by TechCrunch.
“As a matter of policy, Salesforce does not comment on specific customer matters,” said Salesforce spokesperson Nicole Aranda in an email to TechCrunch.
Gainsight did not respond to TechCrunch’s request for comment. Salesforce said that there is “no indication that this issue was caused by a vulnerability in the Salesforce platform,” effectively separating itself from customer data breaches, on Thursday.
Gainsight has also been sharing posts about the incident on its incident page. On Friday, the company said that it is currently cooperating with Google’s incident response team Mandiant to investigate the breach, that the apparent incident “originated from our applications’ integration to an external service,” and not “from any issue or vulnerability within Salesforce’s platforms,” and that “a forensic analysis is ongoing as part of a comprehensive investigation.”
“Salesforce has temporarily disabled our active access tokens to Gainsight-connected apps as our recent investigation around unusual activities is still ongoing,” according to Gainsight’s incident page, which reported that Salesforce is notifying customers whose data was stolen.
Scattered Lapsus$ Hunters announced in a Telegram channel it intends to release a new website to extort the victims of its most recent campaign as soon as next week. The group tends to operate in this manner — in October, the hackers also released a similar extortion website after exfiltrating data from victims’ Salesforce systems in the Salesloft breach.
The Scattered Lapsus$ Hunters is a self-described group of predominantly English-speaking hackers consisting of the various cybercriminal gangs such as ShinyHunters, Scattered Spider and Lapsus$, whose members employ social engineering methods to trick company employees into giving them access to their systems or databases. Over the last couple of years, these groups have counted among their victims companies such as MGM Resorts, Coinbase and DoorDash.
