Hackers Stole Data From 200 Companies in Salesforce Supply Chain Attack
Google just confirmed something terrifying. Over 200 companies got hit in a massive supply chain breach. Their Salesforce data is gone.
This wasn’t a random attack. Hackers exploited a trusted vendor called Gainsight to break into customer support systems across hundreds of organizations. Now those stolen databases are headed to extortion websites.
Let’s break down what happened and why your company might be next.
The Attack Chain Started Months Ago
The breach didn’t start with Gainsight. It began with an earlier hack targeting Salesloft’s Drift platform.
Hackers from the ShinyHunters group stole authentication tokens from Drift customers. Those tokens gave them access to linked Salesforce instances. Then they downloaded everything inside.
Gainsight was among those Drift victims. But here’s the scary part. Once inside Gainsight’s systems, hackers found something far more valuable. They discovered access to 200+ companies that trusted Gainsight with their Salesforce data.
So one breach cascaded into hundreds. That’s the nightmare scenario with supply chain attacks.
Who Got Hit
The hackers claim they breached major tech companies and security firms. Their list includes Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
CrowdStrike denied the breach entirely. They confirmed firing a “suspicious insider” but said customer data stayed secure. That’s a relief for a cybersecurity company.
Docusign ran their own investigation. They found no evidence of compromise. Still, they killed all Gainsight integrations immediately as a precaution. Smart move.
Verizon called the claims “unsubstantiated” without backing that up. Thomson Reuters and Malwarebytes said they’re investigating. Most other companies stayed silent.
Meanwhile, Google’s Threat Intelligence Group confirmed the scale. Austin Larsen, their principal analyst, said they’re tracking over 200 potentially affected Salesforce instances. That’s enormous.
Scattered Lapsus$ Hunters Strike Again
This attack bears the fingerprints of Scattered Lapsus$ Hunters. They’re a loose collective of cybercriminal gangs including ShinyHunters, Scattered Spider, and the original Lapsus$ crew.
These groups specialize in social engineering. They trick employees into handing over access credentials. No sophisticated malware needed. Just phone calls, fake IT support tickets, and convincing lies.
Their track record is brutal. MGM Resorts, Coinbase, DoorDash, and dozens more fell to similar tactics. Now they’re running the same playbook through supply chain vendors.
Plus, they’re not subtle about it. The group announced plans to launch a dedicated extortion website by next week. They’ll publish stolen data there unless victims pay up. They did the same thing after the Salesloft breach in October.
Salesforce Distances Itself From the Mess
Salesforce moved quickly to protect its reputation. They announced the breach but emphasized one critical point. No vulnerability exists in their platform.
Instead, they blamed the apps built by Gainsight. Those apps had external connections that hackers exploited. So Salesforce temporarily revoked all active access tokens for Gainsight-connected applications.
That’s technically accurate. But it doesn’t help the 200+ companies whose data got stolen through Salesforce’s ecosystem. The data lived in Salesforce instances. Customers trusted Salesforce’s security model.
Now those customers face potential extortion and data leaks. Salesforce says they’re notifying affected organizations. But the damage is done.
Gainsight Brings in Mandiant
Gainsight hired Google’s Mandiant incident response team to investigate. That’s the right call. Mandiant handles the biggest enterprise breaches.
Their initial findings match what Salesforce said. The breach originated from external app connections. Not from Gainsight’s core platform or Salesforce infrastructure.
Still, that doesn’t explain how hackers moved laterally from one Gainsight customer to 200+ others. That level of access suggests either poor data isolation or compromised administrative credentials.
Gainsight’s incident page keeps updating. But key questions remain unanswered. How long did hackers have access? What specific data types got stolen? Which customers were affected?
Companies using Gainsight need answers. Fast.
Supply Chain Attacks Keep Winning
Here’s the uncomfortable truth. Supply chain attacks work because trust scales poorly.
Companies vet their direct vendors carefully. But those vendors connect to dozens of other services. Each connection creates new attack surfaces. Each integration expands the blast radius.
Gainsight trusted Salesloft’s Drift platform. That trust got exploited. Then 200+ companies that trusted Gainsight paid the price. One weak link compromised hundreds.
Moreover, most companies have no visibility into their vendors’ vendor relationships. You might audit Gainsight’s security. But did you audit every service Gainsight uses? Probably not.
That’s where attackers find leverage. They target the weakest link in the longest chain. Then they pivot sideways through trusted connections.
What Companies Should Do Now
First, check if you use Gainsight. If yes, assume your Salesforce data was accessed. Start your incident response procedures immediately.
Second, review all third-party app integrations in Salesforce. Disable anything you don’t actively need. Each app is a potential breach vector. Reduce your attack surface.
Third, rotate all Salesforce authentication tokens. Even if you don’t use Gainsight. Hackers could have stolen tokens from other vendors in similar attacks.
Fourth, monitor for unusual data access patterns. Set up alerts for large data exports or unexpected API calls. Detect breaches faster next time.
Finally, inventory your supply chain dependencies. Map which vendors have access to what data. Understand the cascade risks. You can’t protect what you don’t track.
The Extortion Website Comes Next Week
The hackers aren’t finished. They plan to launch a dedicated website displaying stolen data from this campaign. That site will pressure victims to pay ransoms.
Some companies will pay. Most won’t. Either way, the data ends up public eventually. That’s how these groups operate.
So affected companies face tough choices. Pay criminals and hope they delete the data? Or refuse and watch customer information leak online?
There’s no good option. Both paths lead to regulatory fines, lawsuits, and reputation damage. The breach already happened. Now it’s just damage control.
Your supply chain vendors hold your most sensitive data. One breach cascades into hundreds. That’s not a bug. It’s the architecture we built.
Time to rethink who you trust with your data. Because these attacks won’t stop. They’re too profitable. And trust scales too well.
