Salesforce Users at Risk From Gainsight Supply Chain Attack
▼ Summary
– Salesforce revoked access to Gainsight applications on November 20 due to unusual activity that may have enabled unauthorized access to customer data.
– Gainsight disabled its connections with Hubspot and Zendesk as a precaution and engaged Mandiant for forensic investigation.
– The Scattered Spider-ShinyHunters-Lapsus$ collective claimed responsibility for the attack and threatened to launch a data leak site if Salesforce does not comply.
– The threat actors plan to leak data from nearly 1000 companies, including major firms like Verizon and Gitlab, and advertised an upcoming ransomware-as-a-service offering.
– A security expert noted this incident follows a similar pattern of using OAuth tokens and over-permissioned apps in interconnected SaaS ecosystems.
A recent cybersecurity incident has potentially exposed Salesforce customer data, marking another significant supply chain attack just months after the Salesloft Drift breach. On November 20, Gainsight, a customer support platform, reported connection failures after Salesforce revoked active access for its SFDC Connector, a tool enabling Gainsight applications to link with Salesforce. In a security advisory released the same day, Salesforce noted unusual activity involving Gainsight-published applications, leading it to suspend all Gainsight app access and temporarily remove them from AppExchange.
Salesforce’s investigation suggested that malicious activity may have allowed unauthorized access to customer data through the app’s external connection. The company emphasized that the issue did not stem from any vulnerability within the Salesforce platform itself, pointing instead to the external link between Gainsight and Salesforce. As a precaution, Gainsight also disabled its connections with Hubspot and Zendesk. Gainsight later announced it had engaged Mandiant, a Google Cloud-owned cybersecurity firm, to assist with forensic analysis.
According to a report on DataBreaches.net by an author known as ‘Dissent,’ the hacking collective Scattered Spider-ShinyHunters-Lapsus$, sometimes called Scattered Lapsus$ Hunters, claimed responsibility for the Gainsight attack. The threat actors told Dissent they plan to launch a new dedicated leak site unless Salesforce meets their demands. This site would reportedly include data from both the Salesloft and Gainsight campaigns, affecting nearly 1,000 companies. The hackers stated that only “actual companies, mainly Fortune 500,” such as Verizon, Gitlab, F5, and Sonicwall, would be listed. Additionally, the group promoted an upcoming ransomware-as-a-service offering, set to launch on November 24.
Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite, noted that Gainsight had previously acknowledged exposure in the Salesloft Drift campaign, where stolen OAuth tokens were used to access Salesforce data across multiple organizations. In that incident, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, primarily business contact information and some case text, had been accessed. Dikbiyik added, “Today we’re seeing the same playbook: OAuth tokens, over-permissioned apps, and integrated vendors create a perfect attack chain. This isn’t about one vendor or platform; it reflects how modern SaaS ecosystems operate, widely connected and often over-trusted.”
Infosecurity reached out to Gainsight for comment but had not received a response by the time of publication.
(Source: Info Security)