I'd like to share a remarkable incident. Google indicated that the hackers stole data from over 200 firms for a strange reason: the Gainsight tool that many companies use in conjunction with Salesforce. Surprised? I was too!
Gainsight is a software developer that aids companies in understanding and supporting their customers. Gainsight connects with tools like Salesforce and provides insights to assist in improving customer satisfaction and long-term business growth.
According to Google's cybersecurity team, the hack affected more than 200 organizations. The hacking group named Scattered Lapsus$ Hunters (and also ShinyHunters) took credit for the attack.
The list included some notable organizations - Atlassian, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon, along with others. CrowdStrike was one of the organizations that stated they had no impact.
Gainsight stated this was not Salesforce's fault. It came from an outside connection to Gainsight. They even hired Mandiant, which is part of Google, to investigate everything.
They were able to steal OAuth tokens (API keys) that allowed hackers access to the Salesforce accounts. It is like someone finding your spare key and unlocking your door to gain access in a legitimate manner than just breaking down the door.
Scary, huh?
Gainsight is a software developer that aids companies in understanding and supporting their customers. Gainsight connects with tools like Salesforce and provides insights to assist in improving customer satisfaction and long-term business growth.
What Happened
Salesforce observed some irregular behavior in apps built by Gainsight that connections with Salesforce accounts. These apps were used by hackers to access company data. Salesforce immediately removed the apps and revoked all login tokens to block the hackers from accessing the company data.According to Google's cybersecurity team, the hack affected more than 200 organizations. The hacking group named Scattered Lapsus$ Hunters (and also ShinyHunters) took credit for the attack.
The list included some notable organizations - Atlassian, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon, along with others. CrowdStrike was one of the organizations that stated they had no impact.
Gainsight stated this was not Salesforce's fault. It came from an outside connection to Gainsight. They even hired Mandiant, which is part of Google, to investigate everything.
Why This Matters
This isn't a hack, it's a supply-chain attack which means they didn't have access to Salesforce directly. They hacked into a trusted third-party app to do so and that complicates things even more.They were able to steal OAuth tokens (API keys) that allowed hackers access to the Salesforce accounts. It is like someone finding your spare key and unlocking your door to gain access in a legitimate manner than just breaking down the door.
Scary, huh?
What the Companies are Doing Now
- Salesforce removed the malicious Gainsight apps and paused access to all affected tokens.
- Gainsight is conducting a thorough investigation with Mandiant.
- Security experts are advising companies to scrutinize every third-party tool they interface with the their most important systems (like Salesforce).
My Thoughts
Honestly, that's a wake-up call. Lots of companies trust apps to connect to their primary systems and don't audit them enough. If I was in charge of security I would:- Audit all app permissions,
- Delete anything extraneous,
- Rotate security tokens often.