A massive supply chain attack has compromised over 200 companies' data stored in Salesforce, with the notorious ShinyHunters collective claiming responsibility for the breach that exploited Gainsight's customer support platform. Google's threat intelligence unit confirms the scope while hackers threaten a new extortion campaign targeting enterprise victims including major tech firms.
The enterprise software world just got hit with its worst supply chain attack in months. Google confirmed Thursday that hackers have stolen Salesforce-stored data from over 200 companies in a sophisticated breach that exploited the customer support platform Gainsight.
The attack sends shockwaves through the enterprise SaaS ecosystem, where companies increasingly rely on interconnected platforms to manage customer relationships. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told TechCrunch that the company "is aware of more than 200 potentially affected Salesforce instances."
Behind the breach stands Scattered Lapsus$ Hunters, the notorious collective that includes ShinyHunters, Scattered Spider, and Lapsus$ groups. The hackers claimed responsibility in a Telegram channel, boasting about compromising household names including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
A DocuSign spokesperson reached out to The Tech Buzz following our initial coverage of this story:
We are aware of ShinyHunters’ claim. Following a comprehensive log analysis and internal investigation, we have no indication of a Docusign data compromise at this time. Out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows. We continue to actively monitor for any suspicious activity and are partnering closely with Salesforce should additional information become available.
But the hack didn't happen overnight. ShinyHunters told TechCrunch they gained Gainsight access through their previous campaign targeting Salesloft customers. That earlier breach allowed them to steal Drift authentication tokens, which then provided keys to linked Salesforce instances. "Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us," the hackers explained.
The domino effect illustrates how deeply interconnected enterprise software has become - and how one compromised link can topple entire chains of corporate data. Gainsight had confirmed being among Salesloft's victims but apparently couldn't prevent the secondary exploitation.
