Google has confirmed that hackers have stolen the Salesforce-stored knowledge of greater than 200 firms in a large-scale provide chain hack.
On Thursday, Salesforce disclosed a breach of “sure prospects’ Salesforce knowledge” — with out naming affected firms — that was stolen through apps printed by Gainsight, which supplies a buyer assist platform to different firms.
In an announcement, Austin Larsen, the principal menace analyst of Google Menace Intelligence Group, mentioned that the corporate “is conscious of greater than 200 probably affected Salesforce cases.”
After Salesforce introduced the breach, the infamous and somewhat-nebulous hacking group often known as Scattered Lapsus$ Hunters, which incorporates the ShinyHunters gang, claimed duty for the hacks in a Telegram channel, which information.killnetswitch has seen.
The hacking group claimed duty for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Contact Us
Do you might have extra details about these Salesforce and Gainsight data breaches? Or different data breaches? From a non-work machine, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram and Keybase @lorenzofb, or e-mail.
Google wouldn’t touch upon particular victims.
CrowdStrike’s spokesperson Kevin Benacci advised information.killnetswitch in an announcement that the corporate is “not affected by the Gainsight concern and all buyer knowledge stays safe.” CrowdStrike confirmed to information.killnetswitch that it terminated a “suspicious insider” for allegedly passing data to hackers.
information.killnetswitch reached out to all the businesses talked about by Scattered Lapsus$ Hunters.
Verizon spokesperson Kevin Israel mentioned in an announcement that “Verizon is conscious of the unsubstantiated declare by the menace actor,” with out offering proof for this declare.
Malwarebytes spokesperson Ashley Stewart advised information.killnetswitch that the corporate’s security workforce is “conscious” of the Gainsight and Salesforce points and “actively investigating the matter.”
A spokesperson for Thomson Reuters mentioned the corporate is “actively investigating.”
Michael Adams, the chief data security officer at Docusign advised information.killnetswitch in an announcement that “following a complete log evaluation and inside investigation, now we have no indication of Docusign knowledge compromise at the moment.” Nevertheless, Adams mentioned that, “out of an abundance of warning, now we have taken quite a few measures together with terminating all Gainsight integrations and containing associated knowledge flows.”
On the time of publishing, not one of the different firms responded to requests for remark.
Hackers with the ShinyHunters group advised information.killnetswitch in a web-based chat that they gained entry to Gainsight because of their earlier hacking marketing campaign that focused prospects of Salesloft, which supplies an AI and chatbot-powered advertising and marketing platform known as Drift. In that earlier case, the hackers stole Drift authentication tokens from these prospects, permitting the hackers to interrupt into their linked Salesforce cases and obtain their contents.
On the time, Gainsight confirmed it was among the many victims of that hacking marketing campaign.
“Gainsight was a buyer of Salesloft Drift, they have been affected and due to this fact compromised solely by us,” a spokesperson for the ShinyHunters group advised information.killnetswitch.
Salesforce spokesperson Nicole Aranda advised information.killnetswitch that “as a matter of coverage, Salesforce doesn’t touch upon particular buyer points.”
Gainsight didn’t reply to information.killnetswitch’s requests for remark.
On Thursday, Salesforce mentioned there may be “no indication that this concern resulted from any vulnerability within the Salesforce platform,” successfully distancing itself from its prospects’ data breaches.
Gainsight has been publishing updates concerning the incident on its incident web page. On Friday, the corporate mentioned that it’s now working with Google’s incident response unit Mandiant to assist examine the breach, that the incident in query “originated from the functions’ exterior connection — not from any concern or vulnerability throughout the Salesforce platform,” and that “a forensic evaluation is constant as a part of a complete and unbiased assessment.”
“Salesforce has quickly revoked energetic entry tokens for Gainsight-connected apps as a precautionary measure whereas their investigation into uncommon exercise continues,” in line with Gainsight’s incident web page, which mentioned Salesforce is notifying affected prospects whose knowledge was stolen.
In its Telegram channel, Scattered Lapsus$ Hunters mentioned it plans to launch a devoted web site to extort the victims of its newest marketing campaign by subsequent week. That is the group’s modus operandi; in October, the hackers additionally printed an identical extortion web site after stealing victims’ Salesforce knowledge within the Salesloft incident.
The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of a number of cybercriminal gangs, together with ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering ways to trick firm staff into granting the hackers entry to their programs or databases. In the previous few years, these teams have claimed a number of high-profile victims, akin to MGM Resorts, Coinbase, DoorDash, and extra.
This story was up to date to incorporate feedback from Docusign, Thomson Reuters, and Verizon.
