Google has confirmed that hackers have stolen the data of more than 200 companies stored in Salesforce in a large-scale supply chain hack.
On Thursday, Salesforce disclosed a breach of “certain customers’ Salesforce data” — without naming affected companies — that was stolen through apps published by Gainsight, which provides a customer support platform to other companies.
In a statement, Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, said the company is “aware of more than 200 potentially affected Salesforce instances.”
After Salesforce announced the breach, the infamous and somewhat nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel seen by TechCrunch.
The hacking group claimed responsibility for the hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters and Verizon.
Contact us
Do you have more information about these Salesforce and Gainsight data breaches? Or other data breaches? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Google will not comment on specific victims.
CrowdStrike spokesman Kevin Benacci told TechCrunch in a statement that the company “is not affected by the Gainsight issue and all customer data remains secure.” CrowdStrike confirmed to TechCrunch that it has ended a “suspicious tip” for allegedly passing information to hackers.
TechCrunch reached out to all the companies listed by Scattered Lapsus$ Hunters.
Verizon spokesman Kevin Israel said in a statement that “Verizon is aware of the unfounded claim by the threat actor,” without providing evidence for that claim.
Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company’s security team is “aware” of the Gainsight and Salesforce issues and is “actively investigating the matter.”
A Thomson Reuters spokesman said the company was “actively investigating.”
Michael Adams, Docusign’s chief information security officer told TechCrunch in a statement that “after a comprehensive log analysis and internal investigation, we have no indication of a Docusign data breach at this time.” However, Adams said that, “out of an abundance of caution, we have taken certain steps, including terminating all Gainsight integrations and limiting related data flows.”
At the time of publication, none of the other companies responded to requests for comment.
Hackers from the group ShinyHunters told TechCrunch in an online chat that they gained access to Gainsight thanks to a previous hacking campaign targeting customers of Salesloft, which provides an AI and chatbot marketing platform called Drift. In that earlier case, hackers stole Drift authentication tokens from those customers, allowing hackers to break into connected Salesforce instances and download their content.
At the time, Gainsight confirmed were among the victims of this hacking campaign.
“Gainsight was a customer of Salesloft Drift, they were affected and therefore completely breached by us,” a representative of the ShinyHunters group told TechCrunch.
Salesforce spokeswoman Nicole Aranda told TechCrunch that “as a matter of policy, Salesforce does not comment on specific customer issues.”
Gainsight did not respond to TechCrunch’s requests for comment.
On Thursday, Salesforce he said There is “no indication that this issue arose from any vulnerability in the Salesforce platform,” effectively distancing itself from its customer data breaches.
Gainsight is posting updates about the incident on his incident page. On Friday, the company said it was now working with Google’s Mandiant incident response unit to help investigate the breach, that the incident “stemmed from external application connectivity — not an issue or vulnerability in the Salesforce platform” and that “a forensic analysis is ongoing as part of a comprehensive and independent investigation.”
“Salesforce has temporarily revoked active access tokens for applications connected to Gainsight as a precautionary measure while its investigation into unusual activity continues,” according to Gainsight’s incident page, which said Salesforce is notifying affected customers whose data has been stolen.
On its Telegram channel, Scattered Lapsus$ Hunters said it plans to open a dedicated website to blackmail victims of its latest campaign by next week. This is how the team works. In October, hackers also published a similar extortion site after victims’ Salesforce data was stolen in the Salesloft incident.
Scattered Lapsus$ Hunters is an English-speaking hacker group made up of various cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering tactics to trick company employees into giving hackers access to their systems or databases. In recent years, these groups have claimed several high-profile victims, including MGM Resorts, Coinbase, DoorDash and others.
This story has been updated to include comments from Docusign, Thomson Reuters and Verizon.
