Google has now confirmed what had been widely suspected: a major supply chain breach linked to a third-party application, Gainsight, allowed attackers to steal Salesforce data from more than 200 companies. The issue was initially detected by Salesforce, and it reinforces something many security teams have worried about for a while, which is the hidden risk that comes with plugging outside apps into large enterprise platforms. Gainsight’s customer success tools rely on close, always-on connections to Salesforce, and it was through that external pathway that the attackers slipped in. According to the early findings, the group behind the attack appears to be the cybercriminal collective calling itself Scattered Lapsus$ Hunters, which includes the well-known ShinyHunters.

Contents

Key Takeaways
Related FAQs

Key Takeaways

Scope of Breach: Google’s Threat Intelligence Group says more than 200 Salesforce instances were potentially affected.
Vector: Hackers accessed data through compromised third-party applications published by Gainsight, not through any vulnerability in Salesforce’s core platform.
Threat Actor: The group Scattered Lapsus$ Hunters, including the ShinyHunters faction, has claimed responsibility.
Response: Salesforce revoked all active access tokens tied to Gainsight apps and temporarily removed those applications from the AppExchange.
Investigation: Gainsight is working with Mandiant, the Google-owned security firm, to carry out a detailed forensic investigation.

The incident came to light after Salesforce noticed activity that seemed unusual within Gainsight-published applications that customers manage on their own. The attackers didn’t find a weakness inside Salesforce itself. Instead, they went after the connection point, using compromised OAuth tokens that normally allow the Gainsight app to read or modify CRM data. This kind of approach, where a trusted vendor becomes the unexpected entryway for an attack, is exactly the sort of supply chain risk many CISOs talk about but perhaps still struggle to fully prepare for.

Gainsight, which provides customer success tools used to help companies monitor and improve customer retention, sits at the center of many enterprise workflows. The hackers allegedly gained their initial access through a previous campaign involving Salesloft Drift, another third-party tool connected to Salesforce. They claimed to have stolen authentication tokens from Salesloft Drift customers, and those tokens, in a way that feels almost like a chain reaction, then gave them the foothold they needed to compromise Gainsight’s systems. From there, they were able to reach into the Salesforce environments of companies using those integrations.

Google hasn’t published a list of affected organizations. Even so, Scattered Lapsus$ Hunters shared on their Telegram channel that they accessed data from companies such as Atlassian, GitLab, F5, SonicWall, Thomson Reuters, and Verizon. Some of the names they mentioned have pushed back publicly. CrowdStrike said its customer data remained secure and that it wasn’t affected by the Gainsight issue. DocuSign also reported no evidence of any data compromise after conducting its internal review. It’s always a bit tricky to know how much weight to give to claims made on cybercriminal forums, but even so, the breadth of the list raised understandable concern.

Once Salesforce confirmed what was happening, it moved quickly to cut off access. The company revoked all active access and refresh tokens tied to Gainsight-published applications, essentially severing the apps from being able to pull or push Salesforce data. Gainsight has acknowledged the issue and says it is cooperating fully with Salesforce. It has also engaged Mandiant to perform an independent forensic review, which should shed more light on how attackers moved between systems.

Q. What is a supply chain attack in cybersecurity?

A. A supply chain attack is a cyber attack that targets an organization by compromising a less-secure element in its supply chain, typically a third-party partner or vendor, to gain access to the main target’s systems or data. In this case, Gainsight was the compromised third-party vendor used to attack Salesforce customers.

Q. How did the hackers steal data from Salesforce customers?

A. The hackers did not breach Salesforce’s core security. They exploited a weakness in the Gainsight-published applications connected to Salesforce. They used compromised OAuth tokens, digital keys that grant an application permission to access data, to gain unauthorized entry into the linked Salesforce customer environments and download data.

Q. Was Salesforce itself hacked?

A. No. Both Salesforce and Gainsight have stated that the incident did not result from any vulnerability in the core Salesforce platform. The breach originated from the external connection established by the third-party Gainsight application. Salesforce acted quickly by blocking the Gainsight application’s access.

Q. What data was exposed in the Gainsight breach?

A. While the full scope is still under investigation, the hackers generally target Customer Relationship Management (CRM) data. This often includes business contact details like names, work email addresses, phone numbers, location details, product licensing information, and the content of customer support cases.

Q. What precautionary steps should companies take now?

A. Companies that use third-party applications with their Salesforce instance should immediately review and audit all connected applications. They should revoke tokens for any application that is unused or appears suspicious, rotate credentials for all integrated services, and limit the access permissions (scopes) granted to third-party apps to only what is strictly necessary.