Gainsight Breach: Google Confirms Data Theft from 200 Companies

Large-Scale Data Breach Impacts Over 200 Companies

Google has verified that a significant supply chain attack has resulted in the theft of data from more than 200 companies utilizing Salesforce. The compromised information was stored within the Salesforce platform.

Salesforce Data Breach Details

Salesforce disclosed a security incident on Thursday, revealing that data belonging to certain customers had been stolen. This breach occurred through applications published by Gainsight, a company providing customer support solutions to various businesses.

Austin Larsen, principal threat analyst at Google Threat Intelligence Group, stated that the company has identified over 200 Salesforce instances that may have been affected by this incident.

Hacking Group Claims Responsibility

The hacking group known as Scattered Lapsus$ Hunters, encompassing the ShinyHunters gang, asserted responsibility for the attacks. Their claim was made in a Telegram channel, as observed by TechCrunch.

The group alleges involvement in breaches impacting several prominent organizations, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Company Responses and Investigations

Google declined to provide specific details regarding the affected parties.

CrowdStrike’s spokesperson, Kevin Benacci, confirmed to TechCrunch that the company was not impacted by the Gainsight issue and that customer data remains secure. They also revealed the termination of a “suspicious insider” suspected of sharing information with the hackers.

TechCrunch contacted all companies named by Scattered Lapsus$ Hunters to request comment.

Verizon spokesperson Kevin Israel acknowledged the claim made by the threat actor but did not offer supporting evidence.

Malwarebytes spokesperson Ashley Stewart informed TechCrunch that their security team is aware of the Gainsight and Salesforce issues and is actively investigating.

A representative from Thomson Reuters stated that the company is currently investigating the matter.

Michael Adams, CISO at Docusign, indicated that their log analysis and internal investigation have not revealed any compromise of Docusign data. However, as a precaution, they have terminated all Gainsight integrations and contained related data flows.

As of the time of publication, responses were not received from the remaining companies contacted.

Root Cause and Previous Incidents

Hackers associated with the ShinyHunters group explained to TechCrunch that their access to Gainsight stemmed from a prior campaign targeting customers of Salesloft, a marketing platform. They reportedly stole authentication tokens from Salesloft customers, enabling them to infiltrate linked Salesforce instances and extract data.

Gainsight had previously confirmed being a victim of this earlier hacking campaign.

A spokesperson for ShinyHunters stated, “Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us.”

Salesforce and Gainsight Statements

Salesforce spokesperson Nicole Aranda stated that the company does not comment on specific customer issues.

Gainsight did not respond to requests for comment from TechCrunch.

Salesforce asserted that the incident did not originate from any vulnerability within the Salesforce platform itself, distancing the company from the data breaches experienced by its customers.

Gainsight has been providing updates on the incident via its incident page. The company is now collaborating with Google’s Mandiant incident response unit to investigate the breach. Their analysis indicates the incident originated from external connections, not a flaw within the Salesforce platform.

Precautionary Measures and Extortion Threat

According to Gainsight’s incident page, Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure. Salesforce is also notifying affected customers whose data was stolen.

Scattered Lapsus$ Hunters announced plans to launch a website next week to extort victims of their latest campaign. This tactic mirrors their previous actions following the Salesloft incident, where they published a similar extortion website.

About Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters is a collective of English-speaking hackers comprising several cybercriminal groups, including ShinyHunters, Scattered Spider, and Lapsus$. These groups employ social engineering techniques to gain access to company systems and databases. They have claimed responsibility for high-profile breaches at companies like MGM Resorts, Coinbase, DoorDash, and others.

This story was updated to include comments from Docusign, Thomson Reuters, and Verizon.