Salesforce Confirms New Breach Linked to Gainsight Apps
Another day, another third-party scare in the Salesforce ecosystem.
Salesforce confirmed that it is investigating “unusual activity involving Gainsight-published applications connected to Salesforce,” according to a security advisory posted on its status page. The company said its investigation indicates the activity “may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.”
To contain the threat, Salesforce immediately revoked all active access and refresh tokens tied to Gainsight applications and temporarily pulled those apps from the AppExchange. The company stressed that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” adding that the suspicious activity appears to be linked to “the app’s external connection to Salesforce.”
Impacted customers have been notified directly, Salesforce said.
Gainsight confirms investigation, brings in Mandiant
Gainsight has been posting continuous updates on its own status page as it attempts to determine the root cause of the issue. The company acknowledged ongoing connection failures and said it has launched an internal investigation.
In a Thursday update, the company revealed it has engaged Google-owned incident response firm Mandiant to support the forensic work.
“Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform,” Gainsight said. The company added that access to Gainsight via Salesforce is still unavailable.
As part of its precautions, Gainsight said access to its Zendesk connector has also been revoked and that its app was “temporarily pulled” from the HubSpot Marketplace, noting: “No suspicious activity related to HubSpot has been observed at this point. These are precautionary steps only.”
ShinyHunters claims responsibility — again
The hacking group ShinyHunters told DataBreaches.net that they are responsible for the latest intrusion.
The outlet reported that when asked whether the Gainsight campaign was theirs, the group replied, “Unfortunately, yes,” explaining that it was “probably the 3rd of [sic] 4th large-scale campaign against Salesforce by the same group again.”
They also threatened to escalate if Salesforce doesn’t cooperate, saying, “The next DLS will contain the data of the Salesloft and GainSight campaigns.” They claimed that the combined activity will affect “almost 1000 organisations,” including major companies such as Verizon, Gitlab, F5, SonicWall, and others.
Security analysts say the activity matches patterns they’ve been watching closely. Austin Larsen, a principal analyst with Google’s Threat Intelligence Group (GTIG), said in a LinkedIn post that his team is “monitoring an emerging campaign targeting Gainsight-published applications connected to Salesforce.”
According to Larsen, GTIG has observed threat actors linked to ShinyHunters compromising third-party OAuth tokens in an attempt to gain access to Salesforce customer environments.
As of the time of writing, Gainsight said its “security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps,” adding that it is still consolidating information “internally and externally” and will provide a more detailed update within the next hour.
Elsewhere in large-scale breach fallout, recent analysis of AT&T’s $177 million data breach settlement breaks down who qualifies for payouts and how the compensation tiers work.
About Author
