Salesforce warns that unusual activity in Gainsight-linked OAuth apps may have enabled unauthorized access to some customers’ Salesforce data.
Salesforce warned of unusual activity involving Gainsight-linked OAuth apps, noting that threat actors may have used these integrations to gain unauthorized access to some customers’ Salesforce data.
“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” reads the notification published by the company.
The company revoked all Gainsight app tokens and pulled the apps from AppExchange after detecting suspicious external activity. Salesforce confirmed that no platform flaw was found. The activity is tied to the app’s external connection to Salesforce.
“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” continues the notification. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”
The company notifies affected customers, users needing support can contact Salesforce Help.
According to Google GTIG, the new campaign is linked to ShinyHunters, the same group that hit Salesloft Drift in August. DataBreaches.Net reported that ShinyHunters has claimed both waves and they stole data from nearly 1,000 organizations.
“Given Salesforce’s history of being targeted by ShinyHunters and its collective associates, DataBreaches reached out to ask ShinyHunters if the Gainsight campaign was their doing.”Unfortunately, yes,” their spokesperson responded, clarifying that the “Unfortunately” was as in “it’s unfortunate that this is probably the 3rd of 4th large-scale campaign against Salesforce by the same group again.” reported DataBreaches.Net. ““The next DLS will contain the data of the Salesloft and GainSight campaigns,” they stated, “which is, in total, almost 1000 organisations.”
According to the spokesperson, they plan to launch another dedicated leak site if Salesforce does not comply with them.”
Gainsight also fell victim in the earlier Salesloft attack, though its connection to the new incident remains unclear.
Gainsight said it was among the Salesloft Drift customers hit in the earlier breach, but it’s still unclear whether that incident connects to the current one. In that previous attack, hackers accessed business contact data tied to Salesforce content, including names, work emails, phone numbers, location details, licensing information, and support case text (but no attachments).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Gainsight)
