A massive supply chain attack has compromised over 200 companies' data stored in Salesforce, with the notorious ShinyHunters collective claiming responsibility for the breach that exploited Gainsight's customer support platform. Google's threat intelligence unit confirms the scope while hackers threaten a new extortion campaign targeting enterprise victims including major tech firms.
The enterprise software world just got hit with its worst supply chain attack in months. Google confirmed Thursday that hackers have stolen Salesforce-stored data from over 200 companies in a sophisticated breach that exploited the customer support platform Gainsight.
The attack sends shockwaves through the enterprise SaaS ecosystem, where companies increasingly rely on interconnected platforms to manage customer relationships. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told TechCrunch that the company "is aware of more than 200 potentially affected Salesforce instances."
Behind the breach stands Scattered Lapsus$ Hunters, the notorious collective that includes ShinyHunters, Scattered Spider, and Lapsus$ groups. The hackers claimed responsibility in a Telegram channel, boasting about compromising household names including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
A DocuSign spokesperson reached out to The Tech Buzz following our initial coverage of this story:
We are aware of ShinyHunters’ claim. Following a comprehensive log analysis and internal investigation, we have no indication of a Docusign data compromise at this time. Out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows. We continue to actively monitor for any suspicious activity and are partnering closely with Salesforce should additional information become available.
But the hack didn't happen overnight. ShinyHunters told TechCrunch they gained Gainsight access through their previous campaign targeting Salesloft customers. That earlier breach allowed them to steal Drift authentication tokens, which then provided keys to linked Salesforce instances. "Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us," the hackers explained.
The domino effect illustrates how deeply interconnected enterprise software has become - and how one compromised link can topple entire chains of corporate data. Gainsight had confirmed being among Salesloft's victims but apparently couldn't prevent the secondary exploitation.
Corporate damage control kicked into high gear as companies scrambled to assess their exposure. CrowdStrike spokesperson Kevin Benacci insisted the company isn't "affected by the Gainsight issue and all customer data remains secure." The cybersecurity firm even terminated what it called a "suspicious insider" for allegedly passing information to hackers.
Malwarebytes acknowledged its security team is "actively investigating the matter," while Verizon confirmed receiving TechCrunch's inquiry. Most other named victims remained silent at publication time.
Salesforce tried distancing itself from the mess, stating there's "no indication that this issue resulted from any vulnerability in the Salesforce platform." The company temporarily revoked access tokens for Gainsight-connected apps while investigations continue.
Gainsight brought in Google's incident response unit Mandiant to help investigate, confirming the breach "originated from the applications' external connection - not from any issue or vulnerability within the Salesforce platform." The company's been publishing regular updates on its incident page as forensic analysis continues.
The hackers aren't done yet. Scattered Lapsus$ Hunters announced plans to launch a dedicated extortion website by next week, following their established playbook. In October, they published a similar site after stealing Salesforce data in the earlier Salesloft incident, pressuring victims to pay up or face public data dumps.
This collective has become the enterprise world's biggest nightmare, using social engineering tactics to trick employees into handing over system access. Their trophy case includes MGM Resorts, Coinbase, DoorDash, and now potentially hundreds more through this supply chain attack.
The breach exposes critical vulnerabilities in how enterprise software platforms interconnect and share authentication credentials. When one platform falls, the cascading effects can compromise dozens or hundreds of downstream customers who trusted those integrations to be secure.
This supply chain attack represents a new level of sophistication in enterprise cybercrime, where hackers leverage the interconnected nature of business software to maximize their reach. With over 200 companies potentially compromised and extortion campaigns looming, the breach underscores urgent needs for stronger authentication protocols and supply chain security across the enterprise software ecosystem. Companies relying on third-party integrations face a stark reminder that their security is only as strong as their most vulnerable vendor.
