Google says hackers stole information from 200 firms following Gainsight breach

Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack.

On Thursday, Salesforce disclosed a breach of “certain customers’ Salesforce data” — without naming affected companies — that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.  

In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.”

After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen. 

The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Google would not comment on specific victims.

CrowdStrike’s spokesperson Kevin Benacci told TechCrunch in a statement that the company is “not affected by the Gainsight issue and all customer data remains secure.” CrowdStrike confirmed to TechCrunch that it terminated a “suspicious insider” for allegedly passing information to hackers.

TechCrunch reached out to all the companies mentioned by Scattered Lapsus$ Hunters.

Verizon spokesperson Kevin Israel said in a statement that “Verizon is aware of the unsubstantiated claim by the threat actor,” without providing evidence for this claim.

Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company’s security team is “aware” of the Gainsight and Salesforce issues and “actively investigating the matter.”

A spokesperson for Thomson Reuters said the company is “actively investigating.”

Michael Adams, the chief information security officer at Docusign told TechCrunch in a statement that “following a comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time.” However, Adams said that, “out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows.”

At the time of publishing, none of the other companies responded to requests for comment.

Hackers with the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight thanks to their previous hacking campaign that targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their linked Salesforce instances and download their contents.

At the time, Gainsight confirmed it was among the victims of that hacking campaign. 

“Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us,” a spokesperson for the ShinyHunters group told TechCrunch.

Salesforce spokesperson Nicole Aranda told TechCrunch that “as a matter of policy, Salesforce does not comment on specific customer issues.”

Gainsight did not respond to TechCrunch’s requests for comment.

On Thursday, Salesforce said there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” effectively distancing itself from its customers’ data breaches.

Gainsight has been publishing updates about the incident on its incident page. On Friday, the company said that it is now working with Google’s incident response unit Mandiant to help investigate the breach, that the incident in question “originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform,” and that “a forensic analysis is continuing as part of a comprehensive and independent review.”

“Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues,” according to Gainsight’s incident page, which said Salesforce is notifying affected customers whose data was stolen. 

In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is the group’s modus operandi; in October, the hackers also published a similar extortion website after stealing victims’ Salesforce data in the Salesloft incident. 

The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of several cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering tactics to trick company employees into granting the hackers access to their systems or databases. In the last few years, these groups have claimed several high-profile victims, such as MGM Resorts, Coinbase, DoorDash, and more.

This story was updated to include comments from Docusign, Thomson Reuters, and Verizon.