EXCLUSIVE ShinyHunters has reportedly taken responsibility for a security breach at Gainsight, further compromising the data of numerous Salesforce customers. This breach expands the ongoing ramifications of earlier cyber incidents, particularly the Salesloft Drift hack from earlier this year, which ShinyHunters claims provided them with the initial access to Gainsight’s systems.
In correspondence with The Register, a representative from the ShinyHunters group stated they had maintained access to Gainsight for nearly three months, raising serious concerns regarding the depth of their infiltration. They noted, “The data acquired from the Salesloft Drift breach has revealed extensive entry points into various lucrative systems,” while expressing disdain for Salesforce. “It would be preferable if Salesforce ceased its superior attitude and took steps to rectify the situation,” the representative remarked.
To date, Gainsight has not addressed inquiries made by The Register regarding the breach. This incident underscores a grim reality for businesses relying on integrated platforms, as unauthorized access to critical applications can lead to devastating data exposures.
The breach reportedly traces back to March when attackers compromised a GitHub account associated with Salesloft, leading to the unauthorized acquisition of OAuth tokens linked to Drift’s application with Salesforce. Drift is a third-party tool that automates sales processes and connects various CRMs, including Salesforce, thereby increasing the potential surface area for such an attack. Following the exploitation of these tokens, the attackers proceeded to siphon off extensive amounts of customer data from Salesforce’s platform.
ShinyHunters claims that they also accessed Gainsight through similar vulnerabilities exploited during the Drift breach. Gainsight serves as a customer success platform that integrates with multiple CRMs and support systems, indicating that the risks extend beyond just Salesforce.
In response to the breach, Gainsight has engaged Google’s Mandiant incident response team to assist with an investigation into the ongoing security issues affecting its applications on the Salesforce platform. According to Gainsight, the activity under scrutiny did not originate from Salesforce itself but from an external connection facilitated by the compromised applications.
Salesforce promptly revoked all active access tokens linked to Gainsight-published applications while temporarily removing said applications from the AppExchange as part of its mitigation strategy. Precautionary measures have also been taken by Zendesk and HubSpot, as they withdrew their access to Gainsight during this unsettling period, which may affect customer integrations reliant on OAuth access.
Google’s Threat Intelligence Group has expressed awareness of over 200 potentially affected Salesforce instances linked to this breach, emphasizing the considerable reach of ShinyHunters’ activities. In light of this event, the attackers are presumed to have employed tactics consistent with the MITRE ATT&CK framework, including initial access through credential dumping and exploitation of application-layer vulnerabilities.
While the full scope of the breach remains under analysis, it serves as a poignant reminder of the vulnerabilities inherent in interconnected systems. ShinyHunters, associated with the cybercrime collective previously active in this domain, asserts it is still operational and actively recruiting insiders from major firms. Salesforce has reiterated its commitment to not engage with ransom demands, stating, “Salesforce will not negotiate with, or pay any extortion demands,” according to spokesperson Allen Tsai.
