Google says 200+ companies faced data breach because of Gainsight
What's the story
Google has confirmed that a major supply chain hack has led to the theft of Salesforce-stored data from over 200 companies. The attack was first disclosed by Salesforce on Thursday, which revealed that "certain customers' Salesforce data" had been compromised through apps published by Gainsight. The latter is a customer support platform provider. Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, said they are aware of over 200 potentially affected Salesforce instances.
Attack claimed
Hacking group claims responsibility for the breach
Following Salesforce's disclosure, a hacking group known as Scattered Lapsus$ Hunters (which includes the ShinyHunters gang) claimed responsibility for the attacks on its Telegram channel. The group said it had compromised firms like Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, the Thomson Reuters, and Verizon. However, Google did not comment on specific victims of this massive data breach.
Company responses
CrowdStrike and Malwarebytes respond to the breach
CrowdStrike's spokesperson Kevin Benacci said their company is "not affected by the Gainsight issue and all customer data remains secure." They also fired a "suspicious insider" for allegedly passing information to hackers. Meanwhile, Malwarebytes's Ashley Stewart confirmed that their security team is aware of both the Gainsight and Salesforce issues and are actively investigating them.
Access method
ShinyHunters group reveals how they accessed Gainsight
The hackers from the ShinyHunters group told TechCrunch that they gained access to Gainsight through an earlier attack on Salesloft customers. In that case, the hackers stole the Drift authentication tokens from those customers, which allowed them to access their linked Salesforce instances and download their contents. Gainsight had confirmed it was among the victims of that hacking campaign at the time.
Official statements
Salesforce and Gainsight's response
Salesforce has said that "there is no indication that this issue resulted from any vulnerability in the Salesforce platform," distancing itself from its customers' data breaches. Gainsight has been updating about the incident on its incident page. The company said it is now working with Google's incident response unit Mandiant to help investigate the breach and that "a forensic analysis is continuing as part of a comprehensive and independent review."