In what may be a repeat of the Salesloft Drift supply chain compromise, Salesforce confirmed that they’ve identified unusual activity involving Gainsight-published apps connected to Salesforce.
“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection. Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues,” the company stated.
“There is no indication that this issue resulted from any vulnerability in the Salesforce platform.”
Gainsight confirms disruption
Gainsight is a company that offers a “customer success and product experience” platform, which can be integrated with customers’ Salesforce CRM environment via a specialized tool (connector).
The company’s status page currently says that the Salesforce connection issue identified earlier today was due to Salesforce revoking active access (i.e., access tokens) for Gainsight’s SFDC Connector.
They have mounted an internal investigation and will share updates when they know more, the company added.
In the meantime, Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, said that threat actors tied to ShinyHunters – the group that claimed the Salesloft Drift compromise – have been observed compromising Gainsight OAuth tokens to gain access to Salesforce customer instances.
“Salesforce and Mandiant (part of Google Cloud) are actively notifying potentially affected organizations. If you use Gainsight integrations, monitor for official communications from Gainsight and Salesforce,” he advised.
He also urged organizations to review all third-party applications connected to their Salesforce instance, revoke tokens for unused or suspicious applications, and to immediately rotate credentials if they detect anomalous activity from an integration.
According to DataBreaches.net, ShinyHunters confimed their involvement and stated that the Salesloft and Gainsight campaigns allowed them to steal data of almost 1000 organizations.
Mandiant’s investigation into the compromise of the Drift platform and its technology integrations revealed that the attackers managed to access the Salesloft GitHub account, Drift’s AWS environment, from where they apparently stole OAuth tokens for Drift customers’ technology integrations.
Gainsight was one of the many victims of the Salesloft Drift attack, but it is not yet clear whether that earlier breach played a role in the current incident.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
