Salesforce is currently examining reports of potential unauthorized access to customer data linked to its platform, specifically through the Gainsight customer success tool. An advisory released by Salesforce today indicated that this investigation is underway due to concerns about possibly compromised data access.
In their announcement, Salesforce mentioned, “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” While the advisory provided limited details, the incident seems to resemble a recent breach involving the Salesloft Drift platform, which had implications for numerous Salesforce environments across various organizations. This earlier incident was associated with the Scattered LAPSUS$ Hunters threat group, known for their cyber activities.
In correspondence with The Cyber Express, representatives of Scattered LAPSUS$ Hunters claimed responsibility for the Gainsight breach. They stated, “Yes, we are responsible for it. Nearly 300 organizations are affected by it.” However, despite their claims, The Cyber Express maintains a policy of not naming organizations that have not been publicly confirmed as victims of cyberattacks.
Salesforce Identifies Unusual Activity with Gainsight
According to Salesforce’s advisory, the company has detected “unusual activity involving Gainsight-published applications connected to Salesforce.” These applications are directly installed and managed by the customers using the Salesforce platform. They added, “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.”
Importantly, Salesforce stated that there is “no indication” of a vulnerability within the Salesforce platform itself. Instead, the unusual activity appears to stem from the external connections that the Gainsight app maintains with Salesforce. This clarification is crucial for organizations concerned about their data security.
To ensure transparency and assist those affected, Salesforce has directly contacted the customers believed to be impacted by this incident. The company emphasized its commitment to ongoing updates and has invited customers seeking help to reach out through Salesforce Help.
Salesloft Drift Incident’s Connection to Gainsight
While the full scope of the Gainsight-related incident is still being assessed, it mirrors prior security breaches such as the Salesloft Drift incident, which impacted the Salesforce environments of numerous high-profile companies, including tech giants like Google and Cloudflare. This suggests a growing trend in security threats targeting CRM platforms.
The Scattered LAPSUS$ Hunters group has claimed that approximately 760 organizations fell victim to the Salesloft Drift breach, including Gainsight’s own Salesforce environment. Given this interconnected web of vulnerabilities, it highlights the importance of robust security measures for organizations utilizing such applications.
The Cyber Express has reached out to Gainsight for additional comments and information regarding this developing situation. Updates will be provided as new details become available, as organizations and users seek clarity on the extent of the breach and its implications.
