Salesforce says some of its customers’ data was accessed after Gainsight breach

Salesforce has announced an investigation into a data breach affecting certain customer accounts, which was reportedly linked to applications published by Gainsight. Gainsight is a platform that aids companies in managing customer relationships. In a statement released on Wednesday, Salesforce confirmed that the breach involved applications connected to its platform, which are installed directly by customers. The tech giant clarified that there is currently no evidence suggesting that the breach was due to any vulnerabilities within the Salesforce platform itself. Instead, it appears to be associated with Gainsight’s external connection to Salesforce services. Nicole Aranda, a spokesperson for Salesforce, directed inquiries to a dedicated page on the company’s website that addresses the incident. In response to the situation, Gainsight has acknowledged that it is investigating a potential issue with its connection to Salesforce, although it did not explicitly mention a breach in its communications. The company stated, "Our internal investigation is ongoing." Gainsight serves a variety of corporate clients, including notable companies such as Airtable, Notion, and GitLab. GitLab has reported that its security team is actively looking into the matter and will provide updates as they gather more information. Meanwhile, the hacking group known as ShinyHunters has claimed responsibility for the breach. They warned that if Salesforce does not engage in negotiations, they would launch a new website to publicize the stolen data, a tactic commonly used in cyber extortion. They allege to have compromised data from nearly a thousand companies. This breach bears similarities to a previous incident involving Salesloft, an AI marketing chatbot provider, where hackers gained access to sensitive data from connected Salesforce accounts. Victims of that breach included prominent firms like Allianz Life, Bugcrowd, and Cloudflare. Gainsight was confirmed as a victim in that earlier breach, raising questions about whether this latest wave of attacks is a continuation of the previous incidents.