Major Gainsight Supply Chain Breach Hits 200+ Companies
SAN FRANCISCO – Google has confirmed that hackers stole Salesforce-stored data from more than 200 companies in a large-scale supply chain hack via apps published by Gainsight, a customer support platform.
Austin Larsen, principal threat analyst at Google Threat Intelligence Group, stated that the company is “aware of more than 200 potentially affected Salesforce instances.”
The breach was claimed by the hacking collective Scattered Lapsus$ Hunters, which includes members of the ShinyHunters gang. The hackers stated they accessed data from major companies, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
How the Hackers Gained Access
The hackers reportedly leveraged a prior campaign against Salesloft, which provides AI-driven marketing tools like Drift. They stole authentication tokens from Salesloft customers, allowing them to break into linked Salesforce instances through Gainsight.
“Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us,” said a spokesperson for ShinyHunters.
Salesforce confirmed the breach did not stem from vulnerabilities in its platform and has temporarily revoked active access tokens for Gainsight-connected apps as a precaution. Gainsight is collaborating with Google’s incident response unit, Mandiant, to investigate the incident.
Company Responses and Mitigation Efforts
Several affected companies provided statements on their current security posture:
CrowdStrike: Not affected; terminated a suspicious insider.
Docusign: No evidence of compromise; terminated Gainsight integrations and contained data flows.
Verizon & Thomson Reuters: Actively investigating.
Malwarebytes: Aware and investigating Gainsight/Salesforce issues.
Salesforce has stated it is following its policy of not commenting on specific customer cases.
Hacker Extortion Plans
The Scattered Lapsus$ Hunters collective has a history of data theft and extortion campaigns. Following the breach, they announced plans to launch a dedicated website to extort victims, mirroring tactics used in the October Salesloft incident. The group has previously targeted high-profile companies including MGM Resorts, Coinbase, and DoorDash.
These groups rely on social engineering and other techniques to compromise corporate systems, emphasizing the growing threat of sophisticated supply chain attacks in the cybersecurity landscape.
Looking Ahead
This incident highlights the risks of third-party software in enterprise environments, especially platforms connected to cloud services like Salesforce. Companies are advised to monitor unusual activity, enforce strict access controls, and coordinate with incident response teams to mitigate further exposure.
Related Laterstack Stories:
US Border Patrol Surveillance, Massive DDoS Attacks, and FBI Spying Make Headlines