Salesforce Probes New Security Incident Similar to Salesloft Breach
▼ Summary
– Salesforce identified unusual activity with Gainsight-published apps that may have allowed unauthorized access to customer data.
– Salesforce revoked all active access tokens for Gainsight apps and temporarily removed them from the AppExchange during the investigation.
– The ShinyHunters threat group was observed compromising Gainsight OAuth tokens to access Salesforce customer instances.
– ShinyHunters claimed the Gainsight and Salesloft campaigns enabled them to steal data from nearly 1000 organizations.
– Organizations using Gainsight integrations are advised to monitor communications and review third-party app connections for suspicious activity.
Salesforce is currently investigating a new security incident that bears a striking resemblance to the recent Salesloft breach. The company has confirmed unusual activity involving applications published by Gainsight that connect to the Salesforce platform. This situation may have allowed unauthorized parties to access certain customers’ Salesforce data through the Gainsight app integration. In response, Salesforce immediately revoked all active access and refresh tokens linked to Gainsight-published applications and temporarily removed those apps from the AppExchange marketplace while the investigation proceeds. Salesforce emphasized that this incident does not stem from any vulnerability within their core platform infrastructure.
Gainsight, which provides a customer success and product experience platform that integrates with Salesforce CRM environments through specialized connectors, has acknowledged service disruptions. The company’s status page indicates the Salesforce connection problems resulted from Salesforce revoking active access tokens for Gainsight’s SFDC Connector. Gainsight has launched its own internal investigation and committed to providing updates as more information becomes available.
Security researchers have identified connections to known threat actors in this incident. Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, reported that threat actors associated with ShinyHunters, the same group that claimed responsibility for the Salesloft Drift compromise, have been observed compromising Gainsight OAuth tokens to access Salesforce customer instances. Larsen advised organizations using Gainsight integrations to carefully monitor official communications from both Gainsight and Salesforce regarding this situation.
Security experts strongly recommend that organizations review all third-party applications connected to their Salesforce instances and immediately revoke tokens for any unused or suspicious applications. Companies should also rotate credentials promptly if they detect any anomalous activity originating from their integrations. According to information shared with DataBreaches.net, ShinyHunters has claimed responsibility for both the Salesloft and Gainsight campaigns, stating these operations enabled them to steal data from nearly one thousand organizations.
Mandiant’s investigation into the earlier Drift platform compromise revealed that attackers gained access to Salesloft’s GitHub account and Drift’s AWS environment, from which they apparently stole OAuth tokens for Drift customers’ technology integrations. While Gainsight was among the many victims of the Salesloft Drift attack, investigators have not yet determined whether that previous breach directly contributed to the current security incident involving Salesforce integrations.
(Source: HelpNet Security)
