Hackers Stole Data From 200 Companies in Google-Linked Breach

A significant supply chain attack has compromised the data of over two hundred organizations, with Google confirming the theft of information from Salesforce instances. This breach, linked to applications from the customer support platform Gainsight, highlights the growing threat posed by interconnected digital ecosystems. The incident underscores how vulnerabilities in one service can cascade through a network of business partners, putting vast amounts of corporate data at risk.

The notorious hacking collective known as Scattered Lapsus$ Hunters has publicly claimed responsibility for the attacks via a Telegram channel. This group, which includes the infamous ShinyHunters gang, listed several high-profile companies as their targets, including Atlassian, DocuSign, GitLab, LinkedIn, and Verizon. While Google’s Threat Intelligence Group acknowledged the widespread impact, the company declined to identify specific victims.

Responses from the named corporations have been mixed. CrowdStrike stated unequivocally that it was unaffected by the Gainsight issue and that all customer data remains secure. The company also revealed it had terminated a “suspicious insider” for allegedly providing information to hackers. A Verizon spokesperson acknowledged an inquiry but did not provide further details. Malwarebytes confirmed its security team is actively investigating the matter. At the time of reporting, most other companies listed by the hackers had not responded to requests for comment.

According to members of the ShinyHunters group, their initial access stemmed from a prior campaign targeting customers of Salesloft. In that earlier incident, the hackers stole authentication tokens from the Drift marketing platform, which they then used to infiltrate linked Salesforce accounts and download their contents. Gainsight was confirmed to have been a customer of Salesloft Drift and was compromised in that initial wave of attacks.

Both Salesforce and Gainsight have been careful in their public statements. A Salesforce representative stated the company does not comment on specific customer issues and emphasized that there is no evidence the breach resulted from a vulnerability in the Salesforce platform itself. Gainsight, which is not commenting directly, has published updates on an incident page. The company announced it is collaborating with Google’s Mandiant incident response team for a forensic analysis. The investigation so far points to the incident originating from an external application connection, not a flaw within Salesforce.

As a precaution, Salesforce has temporarily revoked active access tokens for apps connected to Gainsight and is in the process of notifying customers whose data was stolen. Meanwhile, the Scattered Lapsus$ Hunters group has declared its intention to launch a dedicated extortion website targeting the victims of this latest campaign by next week. This tactic mirrors their previous actions following the Salesloft data theft.

The Scattered Lapsus$ Hunters collective is an alliance of English-speaking cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$. They are known for employing sophisticated social engineering techniques to deceive company employees into granting system access. Over recent years, this collective has been linked to major cyberattacks on corporations such as MGM Resorts, Coinbase, and DoorDash, demonstrating a persistent and evolving threat to global enterprise security.

(Source: TechCrunch)