Salesforce blocks Gainsight tools while it investigates possible data leak

Salesforce has launched an investigation into what it calls "unusual activity" related to applications developed by Gainsight, which may have led to the exposure of customer data. As a precautionary measure, the company has suspended access to the affected applications while it delves deeper into the situation. According to an update on Salesforce’s status page, certain Gainsight applications—installed and managed by users—might have unintentionally allowed unauthorized access to specific Salesforce data. The company emphasized that it found no evidence indicating that the issue originated from its own platform and is currently assessing the breadth of the activity. Gainsight has acknowledged its cooperation with Salesforce during this probe but has not offered further details. While the full scope of the incident remains uncertain, cybersecurity experts are highlighting a troubling trend: attackers are increasingly targeting the connections between major software-as-a-service (SaaS) platforms. These integrations, designed to facilitate data sharing across systems, can present significant vulnerabilities if not adequately secured. Recent events illustrate this growing concern. Last month, Google revealed a vulnerability in Oracle’s E-Business Suite that potentially impacted over 100 organizations. Earlier this year, Google also reported that attackers had tricked employees at companies using Salesforce into installing compromised versions of Salesforce’s Data Loader tool, granting them access to sensitive information. Jaime Blasco, co-founder of Nudge Security, pointed out that these integrations are becoming prime targets for cybercriminals. He noted on LinkedIn that attackers often circumvent the robust defenses of core platforms by exploiting connected services that have high-level permissions. Blasco remarked to Reuters, "This is the new attack surface." In a related incident, cybercriminals linked to a series of ransomware attacks on UK retailers claimed responsibility for stealing nearly a billion records from a US cloud services provider, Salesforce. Operating under the name Scattered LAPSUS$ Hunters, the group informed Reuters that they accessed vast amounts of personal data by targeting organizations that utilize Salesforce products. This faction appears to be a splinter group of the broader LAPSUS$ gang and has been linked to breaches affecting notable companies such as Marks & Spencer, the Co-op, and Jaguar Land Rover earlier this year. Security experts have noted that this group is monitored by Google’s Threat Intelligence Group, identified as UNC6040, which has previously emphasized the group’s reliance on social engineering tactics to compromise their targets.