Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Salesforce Gainsight compromise: Early findings and customer guidance

In the wake of Salesforce’s announcement about “unusual activity involving Gainsight-published applications” and the company’s revocation of access and refresh tokens associated with them, Gainsight has been doing a good job keeping customers updated on current investigation findings.

On the status page following the incident, the company confirmed that, as a precautionary measure, the Gainsight app has been temporarily pulled from the Hubspot Marketplace and Zendesk connector access has been revoked.

They have also shared that:

  • The suspicious activity Salesforce detected were API calls using the Gainsight Connected App coming from non-whitelisted IPs.
  • Salesforce has yet to confirm data exfiltration from customer instances.
  • They haven’t seen attackers sending out phishing emails or using bulk email features.

“At the moment only three orgs are known to be impacted. The Gainsight Salesforce connection should be the only impacted product,” an employee with the company noted earlier today.

Customers should open a support ticket to request the IP ranges/subnets that Salesforce login events from the Gainsight connector should originate from. If they want to review API calls, they should request Salesforce logs from that company.

“Gainsight, Salesforce, and a third-party forensics firm are jointly reviewing all security layers. They will not restore API access until fully cleared,” the employee added.

“Our third-party will issue a formal report and any remediation guidance. Gainsight will likely move to a packaged version of the Connected App to ensure a clean and secure reset. While no one can guarantee absolute protection, we will only turn services back on once fully vetted.”

Affected customers are being notified by Salesforce and Mandiant (the “third-party forensics firm”).

While several things point to the attackers being the ShinyHunters cyber extortion collective – and they confirmed to DataBreaches.net their involvement – an official attribution of the attack has still to be made.

They group claims to have exfiltrated data from affected Salesforce instances of many companies, including “Verizon, Gitlab, F5, Sonicwall, and others”.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss