Google has confirmed that hackers have stolen Salesforce-stored data from more than 200 companies and institutions in a large-scale supply chain hack.

Salesforce disclosed that certain customers’ Salesforce data was breached, though it did not name the specific affected entities. The theft occurred through apps developed by Gainsight to provide client support platforms for other organizations.

The Scale of the Breach

According to TechCrunch, a principal threat analyst from Google Threat Intelligence Group stated that more than 200 potentially impacted Salesforce instances were known. Scattered Lapsus$ Hunters, an identified hacking group including ShinyHunters, later claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Responses from Affected Companies

CrowdStrike’s spokesperson confirmed that their data remained secure. The company stated it had terminated a suspicious insider for allegedly passing information to hackers. Meanwhile, TechCrunch reached out to the mentioned companies. Verizon acknowledged awareness of the unsubstantiated claim without providing evidence; Malwarebytes indicated its security team was investigating actively. Thomson Reuters and Docusign also reported ongoing investigations. Docusign added that no customer data had been compromised after a thorough internal review.

Details on the Hacking Method

Hackers from the ShinyHunters group claimed they gained access to Gainsight through an earlier hack targeting customers of Salesloft, which provided an AI and chatbot-powered marketing platform called Drift. During that breach, authentication tokens were stolen, allowing the hackers to break into Salesforce instances connected via Gainsight.

Actions by Salesforce and Gainsight

Salesforce stated there was no evidence of a vulnerability in its platform and began distancing itself from customer data breaches. Gainsight published updates on their incident page and collaborated with Google’s incident response unit Mandiant for further investigation, focusing on external connections rather than internal vulnerabilities.

In a precautionary measure, Salesforce temporarily revoked access tokens for Gainsight-connected apps. The company expected an ongoing review process. Scattered Lapsus$ Hunters indicated they planned to launch a dedicated website for extorting victims as part of their modus operandi, similar to actions taken after the Salesloft incident in October.