A widespread cyberattack has compromised the Salesforce data of more than 200 companies, following a breach at Gainsight, a customer support platform provider. The incident highlights the escalating risks within software supply chains and the growing sophistication of hacking groups.
The Breach and Affected Companies
Hackers, operating under the moniker Scattered Lapsus$ Hunters (including members of the ShinyHunters gang), successfully extracted data from numerous Salesforce instances through applications published by Gainsight. While Salesforce initially downplayed the incident, stating no vulnerability exists within its platform, the extent of the breach is now confirmed to affect over 200 organizations.
The hacking group has publicly claimed responsibility for targeting major corporations, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Despite these claims, the exact scope of the compromised data remains unclear, as many companies have yet to publicly acknowledge their involvement.
How the Hack Worked
The attack leveraged a previous campaign that targeted Salesloft, another marketing platform. Hackers stole Drift authentication tokens from Salesloft customers, granting them unauthorized access to linked Salesforce accounts. Gainsight, being a Salesloft customer, was then compromised, creating a cascading effect that exposed its clients’ data. The hackers later confirmed that Gainsight’s entire compromise came from this earlier hack.
Company Responses and Investigations
Reactions from affected companies have varied. CrowdStrike quickly stated it was unaffected and terminated a suspected insider who may have aided the hackers. Verizon dismissed the claims as “unsubstantiated,” while Malwarebytes and Thomson Reuters confirmed they were investigating. Docusign, while finding no immediate evidence of compromise, proactively terminated Gainsight integrations as a precaution. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precaution.
Extortion and Future Threats
Scattered Lapsus$ Hunters plans to launch an extortion website next week to demand ransom from victims, mirroring tactics used in previous incidents. The group, a collective of English-speaking hackers from gangs like ShinyHunters, Scattered Spider, and Lapsus$, specializes in social engineering to infiltrate systems.
The Bigger Picture
This incident underscores the vulnerability of interconnected software ecosystems. Third-party apps and integrations can serve as weak links, allowing attackers to gain access to sensitive data held by larger corporations. The fact that Salesforce distanced itself from the breach despite its customers being affected raises questions about platform responsibility in supply chain security.
The attack serves as a stark reminder that data security is not just about protecting one’s own systems, but also about vetting the security practices of every connected service.
