Article Details

ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago. 'I have compromised other known OAuth apps,' Shiny tells The Reg. EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers. In messages sent to The Register, a member of the extortionist crew said they gained access to Gainsight during the Salesloft Drift hack earlier this year: "We've had access to Gainsight for nearly 3 months." "The data from Salesloft Drift breached has enabled entry points into so many systems. Very lucrative systems," a member of the cyber-gang claiming to be Shiny told The Register. "I do not like Salesforce at all, would be nice if they stopped acting all high and mighty and just pay to fix this mess." Gainsight did not respond to The Register's inquiries.  The saga started back in March, when the intruders gained access to a Salesloft GitHub account and stole OAuth tokens from Salesloft Drift's integration with Salesforce. Drift, a third-party application used to automate sales processes, integrates with Salesforce via connected-app APIs to help manage leads and coordinate pitches, and compromising these OAuth security tokens allowed the data thieves to silently steal a ton of Salesforce customer data. According to ShinyHunters, they also gained access to Gainsight during the Drift breaches. Gainsight is a customer success platform that also integrates with Salesforce and several other CRMs, including HubSpot, as well as support tools like Zendesk. In a Friday alert, Gainsight said it brought on Google's Mandiant incident responders to assist with its ongoing investigation. "We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce," the company said, noting that the "activity under investigation originated from the applications' external connection — not from any issue or vulnerability within the Salesforce platform." Salesforce on Wednesday said it "revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues." Zendesk also revoked its connector access to Gainsight, "as a precaution," and on Thursday, the Gainsight app was "temporarily pulled from the HubSpot Marketplace as a precautionary measure," Gainsight said in an earlier update. "This may also impact Oauth access for customer connections while the review is taking place. " Salesforce on Friday morning declined to comment beyond its Thursday advisory. Google Threat Intelligence Group's principal analyst Austin Larsen previously told The Register that the breach "is likely related to UNC6240 (aka ShinyHunters),"  and that Google is "aware of more than 200 potentially affected Salesforce instances." And, according to ShinyHunters, it dates back to the crooks gaining access to the Salesloft GitHub account. While we still don't know how the intruders gained access to the GitHub account, once they got it, they snooped around Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. They then used these stolen OAuth tokens to break into several companies' Salesforce instances and steal customer data.  "I have compromised other known OAuth apps," the individual claiming to be Shiny told The Register. "Gainsight was just a test to probe how much monitoring there is now."  Salesforce detected the unauthorized activity "pretty quickly," about a week or two after the initial intrusion, they added. "All we can say regarding correspondence at the moment is that we've contacted Salesforce, cannot elaborate any further at this time." ShinyHunters is part of the crime collective that rage-quit the internet last month, but now claims to be back in action and recruiting nefarious insiders at major enterprises, according to a Friday Telegram post. Salesforce previously told The Register it would not pay a ransom demand to ShinyHunters: "Salesforce will not engage, negotiate with, or pay any extortion demand," spokesperson Allen Tsai said.