A large-scale supply chain hack has resulted in the theft of Salesforce-stored data from over 200 companies, with Google confirming the extent of the breach. The incident occurred via apps published by Gainsight, a customer support platform provider, and has been claimed by the notorious hacking group Scattered Lapsus$ Hunters. This group, known for its nebulous and elusive nature, has a history of targeting high-profile victims using social engineering tactics to gain access to company systems and databases.
The breach was first disclosed by Salesforce, which stated that certain customers’ data had been stolen without revealing the affected companies. However, Google’s Threat Intelligence Group later confirmed that over 200 Salesforce instances had been potentially affected. Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, took responsibility for the hacks in a Telegram channel, naming several prominent companies including Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
While some companies, such as CrowdStrike and Docusign, have denied being affected by the breach, others have confirmed that they are investigating the matter. Verizon stated that it is aware of the unsubstantiated claim by the threat actor, but has not provided evidence to support this claim. Malwarebytes and Thomson Reuters have also confirmed that they are actively investigating the issue. Atlassian, F5, GitLab, Linkedin, and SonicWall have not responded to requests for comment.
The hackers gained access to Gainsight’s system through a previous hacking campaign that targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing them to break into their linked Salesforce instances and download their contents. Gainsight was among the victims of that hacking campaign, and the hackers used this access to steal data from Salesforce instances connected to Gainsight’s apps.
Salesforce has distanced itself from the breach, stating that there is no indication that the issue resulted from any vulnerability in the Salesforce platform. The company has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while the investigation into unusual activity continues. Gainsight is working with Google’s incident response unit Mandiant to investigate the breach and has published updates about the incident on its incident page.
The Scattered Lapsus$ Hunters group has announced plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is not the first time the group has used this tactic, having published a similar extortion website after stealing victims’ Salesforce data in the Salesloft incident in October. The group’s modus operandi involves using social engineering tactics to trick company employees into granting them access to their systems or databases, and they have claimed several high-profile victims in the past, including MGM Resorts, Coinbase, and DoorDash.
The incident highlights the importance of robust security measures and vigilance in the face of increasingly sophisticated cyber threats. Companies must be proactive in protecting their data and systems, and must be prepared to respond quickly and effectively in the event of a breach. The fact that Scattered Lapsus$ Hunters was able to gain access to Gainsight’s system through a previous hacking campaign underscores the need for companies to be aware of potential vulnerabilities in their supply chain and to take steps to mitigate these risks. As the investigation into the breach continues, it is likely that more information will come to light about the extent of the damage and the measures that companies can take to protect themselves against similar threats in the future.
No Comments