Salesforce customer data exposed in Gainsight breach
▼ Summary
– Salesforce is investigating a breach of certain customers’ data that was compromised through apps published by Gainsight.
– The breach involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.
– Salesforce stated there is no indication the issue resulted from a vulnerability in its own platform, linking it to Gainsight’s external connection.
– The hacking group ShinyHunters claimed responsibility, threatening to create a website to leak the data if Salesforce doesn’t negotiate.
– This incident resembles a previous August breach at Salesloft, where hackers accessed customer data through connected Salesforce instances.
A significant security incident involving Salesforce customer data has emerged, stemming from applications developed by Gainsight, a firm specializing in customer success platforms. Salesforce confirmed it is actively investigating the breach, clarifying that the compromised information belongs to certain customers who installed and managed Gainsight-published applications connected to Salesforce. The company emphasized that the issue does not appear to originate from any weakness within the Salesforce platform itself, but rather from an external connection associated with Gainsight.
Salesforce spokesperson Nicole Aranda directed inquiries to the company’s dedicated incident information page. Meanwhile, Gainsight’s status page referred to a “Salesforce connection issue” under investigation, without explicitly acknowledging a data breach. A Gainsight spokesperson did not immediately respond to requests for additional comment.
Gainsight lists several prominent corporate clients on its website, including Airtable, Notion, and GitLab. When contacted, GitLab spokesperson Emily James stated that their security team is looking into the matter and will provide updates as more information becomes available.
The prolific cybercriminal group ShinyHunters has claimed responsibility for the breach, informing cybersecurity outlet DataBreaches.net that they will launch a new website to advertise the stolen data if Salesforce refuses to negotiate. This tactic is commonly used by financially motivated hackers to extort their targets. ShinyHunters asserted they possess data from nearly a thousand companies, mentioning that their next data leak site will feature information from Salesloft and Gainsight campaigns.
This incident bears resemblance to a breach at AI marketing chatbot provider Salesloft that occurred in August, which allowed attackers to infiltrate customers’ connected Salesforce instances and steal sensitive information such as access tokens for other services. High-profile victims of the Salesloft breach included Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, and Workday.
In the Salesloft case, the hacking collective Scattered Lapsus$ Hunters, believed to include members of ShinyHunters, took credit. Last month, the group launched a dedicated extortion website threatening to release a billion records. Gainsight had previously confirmed it was affected by the Salesloft-related breaches, though it remains uncertain whether the current incident stems from that earlier compromise.
(Source: TechCrunch)
