A major cyberattack has resulted in the theft of data from over 200 Salesforce customers, stemming from compromised Gainsight applications.
Gainsight, a customer success platform, integrates with Salesforce to collect customer data; this integration point was exploited.
The group claiming responsibility is known as “Scattered Lapsus$ Hunters,” also identified as UNC6040 by Google’s Mandiant team. TechCrunch has more information.
Initial access was reportedly gained by compromising a Gainsight customer through a legacy Salesloft Drift chatbot application, leading to the theft of critical tokens.
These stolen tokens, which linked Drift to Salesforce, were then used by UNC6040 to access numerous Salesforce environments and exfiltrate large volumes of sensitive data.
Gainsight itself was among the organizations affected by this widespread data theft, and the attackers are threatening to publish the stolen data if ransoms are not paid.
Salesforce responded swiftly by revoking all access tokens associated with Gainsight applications and removing them from the Salesforce AppExchange.
Affected customers have been notified by Salesforce regarding the breach, highlighting the critical importance of supply chain security in SaaS ecosystems.
Google has also released proactive hardening recommendations to help organizations defend against UNC6040 and similar SaaS compromises. These can be found on the Google Cloud Blog.
These recommendations focus on securing API keys, OAuth tokens, service accounts, and access keys, urging robust management and regular rotation of credentials.
The incident underscores how a compromise in one linked service can cascade, impacting many other entities through interconnected platforms like Salesforce and Gainsight.