Salesforce says some of its customer data was accessed after the Gainsight hack

Salesforce said Wednesday it was investigating a breach of “Salesforce data for certain customers” that was compromised through applications published by Gainsight, a company that sells a platform to other companies to manage their customers.

In a notice posted late Wednesday, Salesforce said the breaches involved “Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.”

Salesforce said there was “no indication that this issue was caused by any vulnerability in the Salesforce platform,” and that the activity appeared to be related to “Gainsight’s external connection to Salesforce.”

When reached for comment, Salesforce spokeswoman Nicole Aranda referred TechCrunch to the company’s page dedicated to the incident.

As of this writing, Gainsight said on its status page that it was investigating a “Salesforce connectivity issue,” without mentioning any potential breach. “Our internal investigation is ongoing,” Gensite wrote.

A Gainsight spokesperson did not immediately respond to TechCrunch’s request for comment.

On its website, Gainsight touts several enterprise clients, including Airtable, Notion, GitLab, and others. When reached via email, GitLab spokesperson Emily James told TechCrunch, “Gitlab’s security team is investigating and we will get back to you when we have more to share.”

The hacking group ShinyHunters told cybersecurity news site DataBreaches.net that it was behind the hack, adding that if Salesforce didn’t negotiate with them, they would create a new website to advertise stolen data — a common extortion tactic by financially motivated cybercriminals.

“the next [data leak site] “It will contain Salesloft and GainSight campaign data,” the hackers told DataBreaches.net. The hackers claim to have stolen data from nearly a thousand companies.

This data breach appears to be similar to the August breach at marketing chatbot maker Salesloft, which allowed hackers to break into a number of Salesforce instances connected to their customers to steal sensitive data, such as access codes for other services. Victims include insurance giant Allianz Life, Bugcrowd, Cloudflare, Google, fashion group Kering, Proofpoint, airline Qantas, carmaker Stellantis, credit bureau TransUnion, employee management platform Workday, and others.

In the case of the Salesloft hacks, the hacking group Scattered Lapsus$ Hunters, which apparently includes the ShinyHunters gang, claimed responsibility.

Last month, hackers launched a website dedicated to blackmailing victims of abuse, threatening to release a billion records.

At the time, Gainsight confirmed that it was among the victims of breaches linked to Salesloft, but it is unclear whether this new wave of hacks arose from a previous compromise.