Google has confirmed that hackers have stolen Salesforce-stored data belonging to more than 200 companies in a large supply chain attack.
The incident began when Salesforce revealed that some customer data had been accessed without permission through apps created by Gainsight, a company that provides customer support tools. Salesforce did not name any of the affected businesses, but the scale of the breach quickly became clear.
According to Austin Larsen from Google’s Threat Intelligence Group, the company has identified more than 200 potentially compromised Salesforce environments. Soon after Salesforce made the breach public, a hacking group known as Scattered Lapsus Hunters, which includes the well-known ShinyHunters gang, claimed responsibility in a Telegram channel. They said they had targeted well-known organizations including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Many companies have declined to confirm whether they were actually affected. Google also refused to comment on specific victims. CrowdStrike said it was not impacted by the Gainsight breach and confirmed that it had recently fired a suspicious insider for allegedly sharing information with hackers. Verizon said it was aware of the hackers’ claims but described them as unverified. Malwarebytes and Thomson Reuters both said they were investigating the situation. Docusign reported that its internal review showed no signs of data theft, but it still ended all integrations with Gainsight as a precaution.
The hackers told TechCrunch that their access to Gainsight came from an earlier attack targeting customers of Salesloft, the company behind the AI-powered Drift marketing platform. In that campaign, the hackers stole authentication tokens from Drift customers, which they used to break into their connected Salesforce accounts. Gainsight later confirmed it was one of the victims of that previous attack. Representatives of the ShinyHunters group said that once they breached Gainsight through Salesloft, they were able to fully compromise the company.
Salesforce declined to comment on individual customer issues, while Gainsight has not responded to requests for comment. Salesforce emphasized that its platform had not been compromised and that the breach was caused by external applications linked to customer accounts. Gainsight has been posting updates on its incident page and said it is now working with Google’s Mandiant team to investigate what happened. The company said the breach began from an external connection, not a Salesforce flaw, and that investigators are still performing a full forensic review. Salesforce has temporarily disabled active access tokens for apps connected to Gainsight while the investigation continues, and it is notifying affected customers.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The Scattered Lapsus Hunters group said it plans to launch an extortion website next week to pressure victims into paying. The group has used the same tactic before, most recently in October, when it published stolen Salesforce data from another Salesloft-related breach. Scattered Lapsus Hunters is a loose collective of English-speaking cybercriminals, including members of ShinyHunters, Scattered Spider, and Lapsus$. They are known for using social engineering to trick employees into handing over access to internal systems. In recent years, they have claimed responsibility for several major breaches affecting companies like MGM Resorts, Coinbase, and DoorDash.
