{"id":3608,"date":"2025-11-21T20:33:53","date_gmt":"2025-11-21T20:33:53","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/21\/new-gainsight-supply-chain-hack-could-affect-salesforce-customers\/"},"modified":"2025-11-21T20:33:53","modified_gmt":"2025-11-21T20:33:53","slug":"new-gainsight-supply-chain-hack-could-affect-salesforce-customers","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/11\/21\/new-gainsight-supply-chain-hack-could-affect-salesforce-customers\/","title":{"rendered":"New Gainsight Supply Chain Hack Could Affect Salesforce Customers"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new cyber incident could have affected Salesforce customer data three months after the Salesloft Drift hack.<\/p>\n<p>On November 20, customer support platform provider Gainsight said it identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector, which allows Gainsight applications to connect to Salesforce.<\/p>\n<p>In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.<\/p>\n<p>This prompted the company to revoke access to all Gainsight applications and temporarily removed them from its AppExchange.<\/p>\n<p>Salesforce assessed that malicious activity may have enabled unauthorized access to its customers\u2019 data through the app\u2019s connection.<\/p>\n<p>\u201cThere is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app\u2019s external connection to Salesforce,\u201d the Salesforce advisory reads.<\/p>\n<p>Gainsight also disabled its connections with Hubspot and Zendesk as a precaution measure.<\/p>\n<p>In a later update, the customer support provider said it has engaged Google Cloud-owned Mandiant to assist in the forensic investigation.<\/p>\n<h2><strong>Scattered Lapsus$ Hunters Claim the Gainsight Hack<\/strong><\/h2>\n<p>In the blog DataBreaches.net, the author known as \u2018Dissent\u2019 said they asked individuals behind the Scattered Spider-ShinyHunters-Lapsus$ collective (sometimes referred to as \u2018Scattered Lapsus$ Hunters\u2019), who confirmed they were responsible for the attack targeting Gainsight.<\/p>\n<p>The threat actors also told Dissent they plan to launch another dedicated leak site if Salesforce does not comply with them.<\/p>\n<p>This data leak site (DLS) will contain the data of the Salesloft and Gainsight campaigns. In total this is almost 1000 companies according to the cybercriminal\u2019s claims.<\/p>\n<p>\u201cOnly actual companies, mainly Fortune 500 will be listed or things I feel would be worth it. From the Gainsight campaign the large companies were: Verizon, Gitlab, F5, Sonicwall, and others,\u201d the treat actor told DataBreaches.net.<\/p>\n<p>Finally, the group advertised an upcoming ransomware as-a-service (RaaS) offering, allegedly launching on November 24.<\/p>\n<p>Ferhat Dikbiyik, chief research and intelligence Officer (CRIO) at Black Kite, commented:\u00a0&#8220;Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only customer relationship management-layer (CRM) data, mostly business contact info and some Salesforce case text, had been accessed.&#8221;<\/p>\n<p>&#8220;Fast-forward to today, and we\u2019re seeing the same playbook again: OAuth tokens + over-permissioned apps + integrated vendors = a perfect attack chain. This isn\u2019t about one vendor or one platform. This is about how modern software-as-a-service (SaaS) ecosystems operate: wide, connected, and often over-trusted,&#8221; he added.<\/p>\n<p><em>Infosecurity contacted Gainsight for comment but did not receive a response by the time of publication.<\/em><\/p>\n<p><em>Photo credits:\u00a0Jonathan Weiss \/\u00a0gguy \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new cyber incident could have affected Salesforce customer data three months after the Salesloft Drift hack. On November 20, customer support platform provider Gainsight said it identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector, which allows Gainsight applications to connect to Salesforce. In a Salesforce security advisory, also published<\/p>\n","protected":false},"author":2,"featured_media":3609,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3608-a5bc161e-7c12-4f71-804c-61aee125e07b-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3608"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3608\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3609"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}