Google has acknowledged that cybercriminals have compromised Salesforce data belonging to over 200 organizations in a significant supply chain attack.
Salesforce revealed on Thursday that “some customers’ Salesforce data” had been accessed in a breach—though it did not specify which companies were impacted. The breach occurred through applications developed by Gainsight, a company that offers customer support solutions to other businesses.
Austin Larsen, principal threat analyst at Google Threat Intelligence Group, stated that the company is “aware of more than 200 Salesforce instances that may have been impacted.”
Following Salesforce’s announcement, the hacking collective known as Scattered Lapsus$ Hunters—which includes the ShinyHunters group—claimed responsibility for the attacks in a Telegram post reviewed by TechCrunch.
The group asserted that they were behind breaches affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Google declined to discuss individual victims.
Kevin Benacci, a spokesperson for CrowdStrike, told TechCrunch that the company “is not impacted by the Gainsight incident and all customer data is safe.” CrowdStrike also confirmed to TechCrunch that it dismissed a “suspicious insider” accused of leaking information to hackers.
TechCrunch contacted all organizations named by Scattered Lapsus$ Hunters.
Kevin Israel, a spokesperson for Verizon, stated, “Verizon is aware of the unverified claim made by the threat actor,” but did not provide supporting evidence.
Ashley Stewart, speaking for Malwarebytes, told TechCrunch that their security team is “aware” of the issues involving Gainsight and Salesforce and is “actively looking into the situation.”
A Thomson Reuters representative said the company is “actively investigating.”
Michael Adams, Docusign’s chief information security officer, told TechCrunch that “after a thorough review of our logs and an internal investigation, we have found no evidence of any Docusign data breach at this time.” Adams added, “as a precaution, we have disabled all Gainsight integrations and restricted related data transfers.”
As of publication, the remaining companies had not replied to requests for comment.
Members of the ShinyHunters group told TechCrunch in an online conversation that they accessed Gainsight by leveraging a previous attack on Salesloft customers. Salesloft offers an AI-driven marketing platform called Drift. In that earlier breach, the hackers obtained Drift authentication tokens from Salesloft customers, which enabled them to infiltrate connected Salesforce accounts and extract their data.
At that time, Gainsight confirmed it was one of the organizations affected by the earlier attack.
“Gainsight was a Salesloft Drift client, and as a result, we were able to fully compromise them,” a ShinyHunters spokesperson told TechCrunch.
Nicole Aranda, a Salesforce spokesperson, told TechCrunch that “as a standard practice, Salesforce does not address individual customer matters.”
Gainsight did not reply to TechCrunch’s inquiries for comment.
On Thursday, Salesforce stated there is “no evidence that this issue was caused by a vulnerability in the Salesforce platform,” distancing itself from the breaches affecting its clients’ data.
Gainsight has been sharing updates on the incident on its status page. On Friday, the company announced it is collaborating with Google’s Mandiant incident response team to investigate the breach, clarified that the incident “stemmed from the applications’ external connection—not from any flaw or vulnerability in the Salesforce platform,” and said that a forensic review is ongoing as part of an independent investigation.
“As a precaution, Salesforce has temporarily revoked active access tokens for apps linked to Gainsight while they continue to investigate the suspicious activity,” according to Gainsight’s incident page, which also noted that Salesforce is informing affected customers whose data was compromised.
On its Telegram channel, Scattered Lapsus$ Hunters announced plans to launch a dedicated extortion website targeting victims of this campaign by next week. This follows the group’s usual tactics; in October, they set up a similar site after stealing Salesforce data in the Salesloft incident.
Scattered Lapsus$ Hunters is a network of English-speaking hackers comprising several cybercrime groups, including ShinyHunters, Scattered Spider, and Lapsus$. These members often use social engineering to deceive employees into granting them access to company systems or databases. In recent years, these groups have claimed responsibility for attacking high-profile targets such as MGM Resorts, Coinbase, DoorDash, and others.
This article has been updated to add statements from Docusign, Thomson Reuters, and Verizon.
