The ShinyHunters hacking group has launched a new data theft campaign against Salesforce customers, exploiting Gainsight integrations to access their instances.
Immediately after discovering the incident, Salesforce revoked all active access and tokens associated with the Gainsight applications connected to its platform. It temporarily removed the applications from the platform while investigating the attack.
“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said on Thursday morning.
Salesforce said it notified the affected customers directly, but did not share details on how many organizations might have been affected. In the meantime, access to Gainsight via Salesforce remains unavailable.
On Thursday evening, Gainsight revealed that only three organizations were known to have been compromised in the attack, and that it was investigating the incident together with Salesforce and a third-party forensics firm.
“Our third-party will issue a formal report and any remediation guidance. Gainsight will likely move to a packaged version of the Connected App to ensure a clean and secure reset. While no one can guarantee absolute protection, we will only turn services back on once fully vetted,” the company said.
Once the connector is re-enabled, it will require re-authorization. Gainsight says each compromised token “was scoped to a single customer”, but all organizations should rotate keys, credentials, and certificates for their Gainsight integrations.
In a LinkedIn post, Google Threat Intelligence Group’s principal threat analyst Austin Larsen said that Mandian is investigating the attack and that the notorious ShinyHunters hackers are responsible for it.
The attackers are “compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances,” Larsen said.
“Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations. We saw this recently with the campaign targeting Salesloft Drift, and we are seeing it again now,” he added.
According to DataBreaches, ShinyHunters has confirmed the attack. The hacking group, responsible for several data exfiltration campaigns targeting Salesforce customers, said it has made roughly 1,000 victims to date.
Gainsight itself was one of the organizations affected by a recent campaign that hit Salesforce customers through the integrations with the third-party AI chatbot Salesloft Drift.
Hundreds of organizations were affected, including numerous security firms, after hackers used compromised OAuth tokens to exfiltrate large amounts of data from their Salesforce instances. The hackers stole the tokens from Drift’s AWS instance after compromising Salesloft’s GitHub account.
Related: Logitech Confirms Data Breach Following Designation as Oracle Hack Victim
Related: Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack
Related: Princeton University Data Breach Impacts Alumni, Students, Employees
Related: Data Stolen in Eurofiber France Hack
