Supply chain nightmare: Major Salesforce breach via Gainsight App impacts over 200 companies

Atlassian, GitLab, LinkedIn, Verizon Among Firms Targeted as Hackers Exploit Third-Party App Connections and Stolen OAuth Tokens

The digital supply chain has suffered another massive breach, as a third-party application connected to Salesforce was compromised, resulting in unauthorized access to data from over 200 customer instances. The breach, traced to the Gainsight platform, has impacted a wide range of high-profile companies, including Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, and Verizon.

The attack vector: Stolen OAuth tokens

The hacking group, reportedly associated with the recently formed Scattered LAPSUS$ Hunters (SLH) collective, leveraged a technique seen in a similar breach earlier this year: the compromise of third-party OAuth tokens.

• Initial compromise: The current incident is reportedly a follow-on attack stemming from the earlier breach of Salesloft's Drift integration. Hackers stole authentication tokens from affected customers, which they then used to pivot into linked systems.

  
  

• The Gainsight link: Gainsight was reportedly a victim of the prior Salesloft/Drift compromise, which gave the hackers a path to compromise Gainsight's own application credentials, effectively creating a second-wave supply chain attack.

  
  

• The damage: The compromised OAuth tokens allowed the threat actors to access the Salesforce instances of any customer who used the Gainsight app, enabling the exfiltration of business data.

Google's Threat Intelligence Group (GTIG) confirmed it is aware of more than 200 potentially affected Salesforce instances in this campaign.

The stolen data typically includes valuable Customer Relationship Management (CRM) data, such as business contact names, emails, phone numbers, licensing information, and support case contents, which can be leveraged for future, highly credible phishing and social engineering attacks.

Containment and lessons learned

In response to the discovery, Salesforce acted quickly to contain the threat:

Token revocation: Salesforce revoked all active access and refresh tokens associated with the Gainsight-published applications.

• AppExchange removal: The affected Gainsight applications were temporarily removed from the Salesforce AppExchange marketplace.

• Mandiant engagement: Gainsight has engaged the Google Cloud-owned incident response firm Mandiant to assist in the forensic investigation.

This event serves as a critical warning about the risk inherent in SaaS integrations. Organizations are being urged to audit all third-party connected apps in their Salesforce environments immediately, revoke tokens for any unused or suspicious integrations, and implement the principle of least privilege for all service accounts.