An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.

“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”

Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.

Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise. 

Salesforce identified three impacted customers in the immediate aftermath of the attack, and has since found more confirmed victims, Gainsight said in an update on its community page. Neither company has provided a specific number of known victims.

“There is a distinction between the number of customers who Salesforce identified as having compromised tokens and the handful of customers we presently know had their data affected,” a company spokesperson told CyberScoop Tuesday.

Google Threat Intelligence Group, which is affiliated with Mandiant under Google Cloud’s security apparatus, said it was aware of more than 200 Salesforce instances potentially affected by the Gainsight breach last week. Google hasn’t provided an updated figure since then.

Inconsistencies are common in supply-chain attacks that flow downstream.

Meanwhile, Mandiant is continuing to sift through logs and analyze token behavior and connector activity to provide Gainsight with a more complete view of what occurred and how far attackers were able to use Gainsight customers’ access tokens to breach additional systems.

Gainsight previously said Hubspot, Zendesk and revenue intelligence platform Gong.io also temporarily revoked Gainsight customers’ access tokens “out of an abundance of caution.” The company hasn’t reported any confirmed impact on other systems and Salesforce maintains that the issue did not involve a vulnerability in the Salesforce platform.

The breach and its root cause is strikingly similar to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce two months ago. 

While Gainsight and Salesforce are both communicating directly with customers, publicly available threat hunting guidance and information about the attacks exist in multiple places.

Salesforce has shared the most comprehensive IOCs, including dates and observed activities for each malicious IP address. The earliest malicious activity linked to the campaign occurred Oct. 23, according to Salesforce.

The company advised customers to review all available logs for potential compromise and noted that the revocation of Gainsight OAuth tokens does not delete a customers’ logs or hinder their ability to investigate the incident.

Gainsight, however, said its logs are of less use. “Based on the nature of the logs we retain, many of our clients have not found them to be material in assessing any risk to their organization,” Brent Krempges, chief customer officer at Gainsight, said on its community page. 

“We strongly recommend that you focus your investigation on the Salesforce logs that show authentication attempts and API calls originating from the Gainsight Connected App,” he added. “These Salesforce-side logs are the authoritative source of information for identifying any anomalous access patterns.”

Gainsight also recommended that customers configure IP restrictions for API calls to ensure only legitimate requests are allowed. This security control is manual and requires cooperation from every vendor in the supply chain. Okta said IP restrictions kept its Drift integrations secure and successfully blocked an attempted attack on its Salesforce environment during the widespread incidents in August.

Ganapathi, who was named CEO in August, acknowledged that Gainsight is critical to its customers’ daily operations and said the company is personally responsible for ensuring access to its products. The company is helping customers manage their Gainsight Customer Success (CS) instances while its Salesforce connected app is offline, he said. 

“The only way we beat these threats is by working together and sharing information and strategies,” Ganapathi said. “That is why I am committing to sharing what we learn from this experience to help everyone in the SaaS community strengthen their defenses and, we hope, avoid going through something similar themselves.”

The post Gainsight CEO downplays impact of attack that spread to Salesforce environments appeared first on CyberScoop.

Salesforce said yet another breach involving a third-party vendor has compromised customers’ data, warning in a security advisory late Wednesday that it detected unusual activity in Gainsight applications connected to Salesforce customer environments.

“Google Threat Intelligence Group is aware of more than 200 potentially affected Salesforce instances,” Austin Larsen, principal analyst at GTIG, told CyberScoop. 

The breach shares strong similarities to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce less than two months ago.

The attacks targeting Gainsight, which bills itself as “customer success” software, and Salesloft Drift customer integrations with Salesforce are also linked to the same threat group or associated cybercriminals. “We assess this is likely the same threat cluster — ShinyHunters or UNC6240 — related to other recent campaigns targeting Salesforce instances, such as UNC6040,” Larsen said.

Salesforce responded to both attacks by revoking access to tokens that allowed customers to connect the third-party services to their Salesforce environments.

“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in the advisory. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”

The company did not say when or how it became aware of the unauthorized activity in customer environments. A Salesforce spokesperson did not provide additional details and said it will update its security page with more information and customer guidance as appropriate.

Organizations impacted by the attack originating in Gainsight’s Salesforce connector are unknown, but the platform has about 1,000 customers, including many well-known enterprises and technology firms.

Gainsight issued its first public alert about Salesforce connections failures on its status page late Wednesday. “We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications,” the company said in an update Thursday.

The company said the Gainsight app has also been “temporarily pulled” from the Hubspot Marketplace, a move that may impact OAuth access for customer connections with that platform. “No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only.”

While broader impact hasn’t been confirmed, the potential scope beyond Salesforce suggests the breach might have compromised any service Gainsight customers connected to the platform. As Google security researchers responded to the Salesloft Drift attacks in August, they determined any user that integrated the AI chat agent platform to another service may have been compromised.

In a twist of irony, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attacks.

Gainsight, which said its internal investigation is ongoing, did not say how its customers’ access tokens may have been compromised. Salesloft ultimately pinned the root cause of the Drift supply-chain attacks to a threat group that gained access to its GitHub account as far back as March, lurking in the Salesloft application environment undetected until it stole data from hundreds of organizations during a 10-day period in mid-August.

Gainsight, which said its internal investigation is ongoing, did not respond to a request for comment.

The post Hundreds of Salesforce customers hit by yet another third-party vendor breach appeared first on CyberScoop.