A compromised third-party application, and it’s an open door to customer data.
Salesforce found itself in this situation in August. The affected application — a business-management chatbot — originated from the American publisher Salesloft. The vendor had previously been compromised (GitHub account, then AWS environment) in order to harvest API tokens (OAuth tokens) used by the chatbot to connect to Salesforce.
A similar incident has just occurred with an application from another American publisher: CS (Customer Success), by Gainsight. It counts among its clients, among others, GitLab, Glassdoor, GoTo, Jamf, Notion, Okta, Sonos and Zapier.
Salesforce cut the connection with Gainsight on the morning of November 20. It has not been restored since. Other publishers have followed suit as a precaution, including HubSpot and Zendesk.
As of the latest notes, Gainsight estimates that 3 organizations were affected. That is not the view of Google/Mandiant, the investigators: according to them, more than 200 instances could potentially have been affected. The campaign is possibly the work of affiliates of the ShinyHunters collective.
Gainsight warns that some security rules may need to be manually reactivated once the connection is restored. It also notes that its Gmail and Outlook plug-ins do not function for users connecting through Salesforce.
The campaigns against Salesforce are mounting
Unauthorized access via Salesloft’s chatbot has claimed multiple victims in the IT sector (Boomi, IBM, Nutanix, OpenText, Proofpoint, Pure Storage, Rubrik, Zscaler…). Support tickets have been exposed… and secrets as well.
This incident, combined with others, culminated a few weeks ago in a data leak. Under the banner SLSH (Scattered LAPSUS$ ShinyHunters), cybercriminals threatened to publish data… and to back the ensuing legal actions, particularly for violation of business secrets.
SLSH had set an ultimatum for October 10. It had also submitted it to Red Hat, after the compromise of a GitLab instance tied to its consulting activity (a potential goldmine of infrastructure secrets: inventories, network topologies, playbooks and blueprints, security-audit results…).
The day after the deadline, a few datasets stemming from the Salesforce campaigns were published. The two largest—each containing personal data for about a million people—pertained to the airlines Qantas and Vietnam Airlines. An American subsidiary of ENGIE was also among them.
Following this, SLSH announced on its Telegram channel that it would suspend activities until 2026. It said it would focus on FBI and NSA employees, probably in response to the seizure of BreachForums servers.
A few days later, members formalized the “permanent dissolution” of the group after the arrest of several administrators.
