Home Post Tech

Google Confirms Salesforce & Gainsight Breach: Hackers Exploit Gainsight to Steal Salesforce Data

min read
Table of Contents

Data breach steal saleforce data

Major Supply Chain Breach Hits 200 Companies via Salesforce and Gainsight Integrations

Google has officially confirmed a massive supply chain cyberattack affecting over 200 companies that utilize Salesforce. The breach was not executed through a direct vulnerability in Salesforce’s core platform, but rather through a compromised third-party integration provided by Gainsight, a customer success software. According to threat intelligence analysts, hackers managed to steal sensitive data by exploiting the connection between these applications. This incident highlights the growing fragility of the modern software ecosystem, where a single compromised vendor can open the doors to hundreds of other secure networks.

The responsibility for this attack has been claimed by a notorious collective calling themselves "Scattered Lapsus$ Hunters." This group appears to be a convergence of several dangerous cybercriminal gangs, including ShinyHunters and members of Lapsus$. Their method of operation was highly sophisticated; they reportedly gained initial access by leveraging data stolen from a previous hacking campaign targeting Salesloft and Drift. By obtaining valid authentication tokens, the threat actors were able to bypass standard login procedures and move laterally into the Salesforce instances of Gainsight’s customers, effectively impersonating legitimate users to download data.

Following the revelation of the breach, the hacking group released a hit list of high-profile targets they claim to have compromised, including major industry players like Verizon, Docusign, CrowdStrike, and LinkedIn. However, the response from these companies has been mixed. While the hackers claim success, CrowdStrike explicitly denied being affected by the Gainsight issue—though they did admit to terminating a "suspicious insider" recently. Similarly, Verizon and Docusign have stated they have found no evidence of data compromise yet, although Docusign has severed ties with Gainsight integrations out of an abundance of caution.

In response to the crisis, Salesforce has taken immediate defensive action by revoking active access tokens for Gainsight-connected apps to stop the bleeding. Gainsight has also engaged Mandiant, Google’s elite incident response unit, to conduct a forensic analysis. Both Salesforce and Gainsight are emphasizing that the breach originated from the external connection between apps, rather than a flaw in their fundamental infrastructure. This distinction is crucial in the world of cloud security, as it shifts the focus from platform security to the management of third-party permissions and API security.

This incident serves as a grim reminder of the rising trend in "SaaS-to-SaaS" attacks. As companies increasingly rely on interconnected software stacks, attackers are finding it easier to target the "integrations" rather than the fortified core platforms. Security experts note that this represents a new attack surface; hackers no longer need to break down the front door if they can find a side entrance through a trusted partner application. The exploitation of OAuth tokens and third-party privileges is becoming a preferred tactic because it often evades traditional detection tools that trust these established connections.

Looking ahead, the situation may escalate quickly for the victims. The hacking collective has threatened to launch a dedicated website to leak the stolen data and extort the affected companies, a tactic consistent with their previous behavior in the Salesloft incident. This "double extortion" model—stealing data and then threatening to publish it—puts immense pressure on victims to pay up. As investigations by Mandiant and internal security teams continue, the full scope of the data loss and the authenticity of the hackers' claims regarding specific corporate giants will likely become clearer in the coming days.

Salesforce

Actionable Security Insights: Defending Against Token Theft & Supply Chain Attacks

The breach described involves OAuth Token Theft. In this scenario, hackers didn't "hack" Salesforce's walls; they stole a "digital key" (the authentication token) that had already been legitimately issued to a third-party app (Gainsight). To the Salesforce system, the hacker looked exactly like the trusted application.

Here is how organizations can secure their environments against this specific threat:

Audit and Limit OAuth Scopes (Least Privilege)

Many third-party integrations request "Full Access" by default to ensure they work without friction. This is dangerous.

  • Action: Review all "Connected Apps" in your Salesforce Setup.
  • Detail: Ensure apps only have the scopes (permissions) they strictly need. If a marketing app only needs to readcontacts, it should not have write/delete permissions or access to financial data.
  • Why: If a token is stolen, the damage is limited only to what that specific token was allowed to do.

Enforce IP Restrictions on Connected Apps

Salesforce allows you to "lock" specific apps so they can only be accessed from trusted IP addresses (e.g., your corporate VPN or the specific IP range of the vendor).

  • Action: Configure "IP Relaxation" settings to "Enforce IP restrictions" for high-risk integrations.
  • Why: Even if a hacker steals the authentication token, they cannot use it because their computer's IP address will not match the allowed list.

Shorten Session Timeout Values

In many SaaS attacks, hackers rely on "long-lived" tokens that remain valid for days or weeks.

  • Action: Reduce the session timeout for third-party integrations.
  • Why: If a token expires quickly (e.g., every few hours), a stolen token becomes useless to the hacker before they can download massive amounts of data.

Implement SaaS Security Posture Management (SSPM)

Traditional firewalls don't see traffic between two cloud apps (like Salesforce talking to Gainsight).

  • Action: Consider deploying an SSPM solution (like AppOmni, Obsidian, or similar).
  • Why: These tools specifically monitor the "handshakes" between cloud apps. They can alert you immediately if an integration starts behaving strangely, such as downloading an unusual volume of data or accessing records it typically doesn't touch.

Regular "Token Flushes"

  • Action: Periodically revoke all access tokens for third-party apps, forcing users (and the apps) to re-authenticate.
  • Why: This flushes out any dormant attackers who might be holding onto an old, valid token, waiting for the right time to strike.