Google Confirms Data Stolen from 200 Companies via Gainsight Breach

Google has confirmed a significant data breach affecting over 200 companies, where hackers stole Salesforce-stored customer data through a large-scale supply chain attack involving applications from Gainsight, a customer support platform provider. The breach was initially disclosed by Salesforce on Thursday, with Google's Principal Threat Analyst, Austin Larsen, stating awareness of "more than 200 potentially affected Salesforce instances."

Hackers Claim Responsibility and Plan Extortion

Following Salesforce's disclosure, the notorious cybercrime collective, Scattered Lapsus$ Hunters – which includes the prominent ShinyHunters gang – publicly claimed responsibility for the breaches via a Telegram channel. The group specifically listed several high-profile companies whose data they allegedly compromised, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Google declined to comment on specific victims. While many companies listed by the hackers remained silent, CrowdStrike's spokesperson Kevin Benacci stated that the company was "not affected by the Gainsight issue and all customer data remains secure," adding that a "suspicious insider" had been terminated for allegedly sharing information with hackers. Malwarebytes confirmed its security team was "aware" and "actively investigating," while Verizon acknowledged receipt of inquiries.

How the Attack Unfolded

ShinyHunters, a subgroup of Scattered Lapsus$ Hunters, revealed that their access to Gainsight stemmed from a prior hacking campaign. This earlier attack targeted customers of Salesloft, a provider of the AI and chatbot-powered marketing platform called Drift. The hackers reportedly stole Drift authentication tokens from these customers, which then enabled them to breach their linked Salesforce instances and exfiltrate data. Gainsight had previously confirmed its status as a victim in that Salesloft-related incident.

"Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us," said ShinyHunters.

Salesforce and Gainsight Respond

Salesforce, through spokesperson Nicole Aranda, maintained its policy of not commenting on specific customer issues. The company also asserted that there was "no indication that this issue resulted from any vulnerability in the Salesforce platform," effectively distancing itself from its customers' data breaches. Gainsight, which did not respond to requests for comment, has been providing updates on its incident page.

On Friday, Gainsight announced it is collaborating with Google's incident response unit, Mandiant, for the investigation. Gainsight reiterated that the incident "originated from the applications’ external connection – not from any issue or vulnerability within the Salesforce platform," and that "a forensic analysis is continuing as part of a comprehensive and independent review." As a precautionary measure, Salesforce has temporarily revoked active access tokens for Gainsight-connected apps and is notifying affected customers whose data was stolen.

Scattered Lapsus$ Hunters' Modus Operandi

True to their established modus operandi, Scattered Lapsus$ Hunters announced plans to launch a dedicated website next week to extort victims of this latest campaign. They employed a similar tactic in October, publishing an extortion website after stealing Salesforce data during the Salesloft incident.

The Scattered Lapsus$ Hunters is an English-speaking collective comprising several notorious cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$. These groups are known for employing social engineering tactics to manipulate company employees into granting unauthorized access to systems and databases. Their past high-profile victims include MGM Resorts, Coinbase, and DoorDash.