Summary of Events
Google has recently reported a significant supply chain breach that has compromised data stored by Salesforce across more than 200 businesses. The incident was initially revealed by Salesforce on Thursday, noting that “specific customers’ Salesforce data” was infiltrated through applications by Gainsight, a well-known customer success platform. Google Threat Intelligence Group’s Principal Threat Analyst, Austin Larsen, disclosed that they have identified over 200 Salesforce instances potentially impacted by this breach.
Responsibility Claim by Hacking Group
In the wake of Salesforce’s announcement, a hacking collective known as Scattered Lapsus$ Hunters, which includes the notorious ShinyHunters group, claimed responsibility via their Telegram channel. The group stated that they infiltrated several prominent companies, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, and Verizon. Notably, Google has refrained from disclosing specific names of the impacted organizations.
Reactions from CrowdStrike and Malwarebytes
Kevin Benacci, a spokesperson for CrowdStrike, affirmed that their organization has not been impacted by the Gainsight situation, stating, “All customer data remains secure.” They also dismissed an employee for allegedly sharing information with cyber adversaries. In contrast, Ashley Stewart from Malwarebytes confirmed that their security team is investigating both the Gainsight and Salesforce incidents diligently.
Access Points Revealed by ShinyHunters
According to a disclosure to TechCrunch by the ShinyHunters group, they initially breached Gainsight by exploiting vulnerabilities from an earlier attack on Salesloft customers. They utilized stolen Drift authentication tokens, allowing them to access linked Salesforce instances and extract data. This earlier breach had earlier prompted Gainsight to acknowledge its own status as a victim of cyber incursion.
Responses from Salesforce and Gainsight
Salesforce has asserted that “there is no indication this issue stemmed from any vulnerability within the Salesforce platform,” thereby distancing itself from the data breaches affecting its customers. Meanwhile, Gainsight has kept stakeholders updated through its incident page. The firm indicated that it is collaborating with Mandiant, Google’s incident response unit, to undertake a thorough investigation into the breach, while a forensic analysis is underway as part of a comprehensive review of the events.
