Hundreds of Salesforce customers hit by yet another third-party vendor breach
Salesforce said yet another breach involving a third-party vendor has compromised customers’ data, warning in a security advisory late Wednesday that it detected unusual activity in Gainsight applications connected to Salesforce customer environments.
“Google Threat Intelligence Group is aware of more than 200 potentially affected Salesforce instances,” Austin Larsen, principal analyst at GTIG, told CyberScoop.
The breach shares strong similarities to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce less than two months ago.
The attacks targeting Gainsight, which bills itself as “customer success” software, and Salesloft Drift customer integrations with Salesforce are also linked to the same threat group or associated cybercriminals. “We assess this is likely the same threat cluster — ShinyHunters or UNC6240 — related to other recent campaigns targeting Salesforce instances, such as UNC6040,” Larsen said.
Salesforce responded to both attacks by revoking access to tokens that allowed customers to connect the third-party services to their Salesforce environments.
“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in the advisory. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”
The company did not say when or how it became aware of the unauthorized activity in customer environments. A Salesforce spokesperson did not provide additional details and said it will update its security page with more information and customer guidance as appropriate.
Organizations impacted by the attack originating in Gainsight’s Salesforce connector are unknown, but the platform has about 1,000 customers, including many well-known enterprises and technology firms.
Gainsight issued its first public alert about Salesforce connections failures on its status page late Wednesday. “We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications,” the company said in an update Thursday.
The company said the Gainsight app has also been “temporarily pulled” from the Hubspot Marketplace, a move that may impact OAuth access for customer connections with that platform. “No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only.”
While broader impact hasn’t been confirmed, the potential scope beyond Salesforce suggests the breach might have compromised any service Gainsight customers connected to the platform. As Google security researchers responded to the Salesloft Drift attacks in August, they determined any user that integrated the AI chat agent platform to another service may have been compromised.
In a twist of irony, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attacks.
Gainsight, which said its internal investigation is ongoing, did not say how its customers’ access tokens may have been compromised. Salesloft ultimately pinned the root cause of the Drift supply-chain attacks to a threat group that gained access to its GitHub account as far back as March, lurking in the Salesloft application environment undetected until it stole data from hundreds of organizations during a 10-day period in mid-August.
Gainsight, which said its internal investigation is ongoing, did not respond to a request for comment.
