Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform.
“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today.
The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group.
In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident.
“Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.”
The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.
Salesforce Detects ‘Unusual Activity’ Involving Gainsight App
Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers.
“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.”
Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said.
Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.
Salesloft Drift Breach Affected Gainsight Too
It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too.
Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment.
The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.