A massive supply chain attack has compromised over 200 companies' data stored in Salesforce, with the notorious ShinyHunters collective claiming responsibility for the breach that exploited Gainsight's customer support platform. Google's threat intelligence unit confirms the scope while hackers threaten a new extortion campaign targeting enterprise victims including major tech firms.
The enterprise software world just got hit with its worst supply chain attack in months. Google confirmed Thursday that hackers have stolen Salesforce-stored data from over 200 companies in a sophisticated breach that exploited the customer support platform Gainsight.
The attack sends shockwaves through the enterprise SaaS ecosystem, where companies increasingly rely on interconnected platforms to manage customer relationships. Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told TechCrunch that the company "is aware of more than 200 potentially affected Salesforce instances."
Behind the breach stands Scattered Lapsus$ Hunters, the notorious collective that includes ShinyHunters, Scattered Spider, and Lapsus$ groups. The hackers claimed responsibility in a Telegram channel, boasting about compromising household names including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
But the hack didn't happen overnight. ShinyHunters told TechCrunch they gained Gainsight access through their previous campaign targeting Salesloft customers. That earlier breach allowed them to steal Drift authentication tokens, which then provided keys to linked Salesforce instances. "Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us," the hackers explained.
The domino effect illustrates how deeply interconnected enterprise software has become - and how one compromised link can topple entire chains of corporate data. Gainsight had confirmed being among Salesloft's victims but apparently couldn't prevent the secondary exploitation.
Corporate damage control kicked into high gear as companies scrambled to assess their exposure. CrowdStrike spokesperson Kevin Benacci insisted the company isn't "affected by the Gainsight issue and all customer data remains secure." The cybersecurity firm even terminated what it called a "suspicious insider" for allegedly passing information to hackers.
Malwarebytes acknowledged its security team is "actively investigating the matter," while Verizon confirmed receiving TechCrunch's inquiry. Most other named victims remained silent at publication time.
