3rd Party Risk Management,
Cybercrime,
Fraud Management & Cybercrime
Salesforce Revokes Gainsight Authentication Tokens
Salesforce, a leading customer relationship management platform based in the United States, has informed customers of potential data theft by hackers exploiting vulnerabilities in a third-party application. The company announced that applications published by Gainsight, which connect to Salesforce instances, may have allowed unauthorized access to sensitive information.
Gainsight, known for its customer data management services, has not publicly disclosed the number of affected clients. However, it has stated that it is collaborating with Salesforce to investigate the breach. In a measure to mitigate the risk, Salesforce has revoked Gainsight app access tokens and temporarily suspended the application from its AppExchange cloud marketplace.
Austin Larsen, a principal threat analyst at Google Mandiant, correlated this hacking incident with ShinyHunters, a group known for its cybercriminal activities. This group is believed to share operational ties with a subset known as UNC6395. ShinyHunters claimed responsibility for the Gainsight breach in an announcement featured on DataBreaches.net.
This hacking group, which also forms part of a larger collective dubbed Scattered Lapsus$ Hunters, previously breached Salesforce by obtaining authentication tokens from another third-party application provider, Salesloft. The group has threatened to create a dedicated site to host stolen data unless Salesforce complies with their extortion demands. Previously, Salesforce successfully rebuffed ShinyHunters’ attempts to extort ransom following the Salesloft incident.
ShinyHunters indicated to DataBreaches.net that this attack marks another significant campaign against Salesforce, suggesting that it may be the third or fourth such incident orchestrated by the same group. Gainsight’s clientele includes notable organizations like Okta, Sonos, and ADP.
The tactics employed in this breach may include initial access through compromised authentication tokens, as categorized by the MITRE ATT&CK framework. This technique exemplifies how adversaries can gain entry to systems by exploiting vulnerabilities in trusted applications to escalate their privileges and secure persistent access.
As organizations increasingly rely on third-party applications, the need for robust cybersecurity measures is more pressing than ever. Companies must not only assess their cybersecurity strategies but also ensure that their third-party partnerships adhere to stringent security protocols to mitigate risks associated with data breaches.
Reporting contributed by David Perera from Information Security Media Group.
