Article Details

Another Salesforce-linked data breach has ShinyHunters’ fingerprints all over it. They keep coming back for more. Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed its customers' data. This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.  "Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday. "Per our update, upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues," Salesforce spokesperson Allen Tsai told The Register.  Tsai declined to answer specific questions about the breach, including how many customers were compromised - the company has notified those affected, he said - and who is behind the latest theft of Salesforce customers' data.  "There is no indication that this issue resulted from any vulnerability in the Salesforce platform," Tsai said. "The activity appears to be related to the app's external connection to Salesforce." Gainsight did not immediately respond to The Register's request for comment. While Salesforce isn't pointing the finger at a particular threat group, Google Principal Threat Analyst Austin Larsen attributed the activity to ShinyHunters. This is the same criminal crew that breached SalesLoft's Drift application earlier this year and stole a bunch of companies' OAuth tokens, which allowed them access to numerous orgs' Salesforce instances.  "Our team at Google Threat Intelligence Group (GTIG) has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances," Larsen said in a LinkedIn post on Thursday. Google's Mandiant incident response team is working with Salesforce to notify potentially affected organizations, Larsen added, and urged all companies to "view this as a signal to audit their SaaS environments," including conducting regular reviews of all third-party applications connected to their Salesforce instances. Companies should also "investigate and revoke tokens for unused or suspicious applications," and, upon detecting any anomalous activity, "rotate the credentials immediately," he wrote.