Google has confirmed that hackers have stolen the Salesforce-stored knowledge of greater than 200 firms in a large-scale provide chain hack.

On Thursday, Salesforce disclosed a breach of “sure clients’ Salesforce knowledge” — with out naming affected firms — that was stolen through apps revealed by Gainsight, which offers a buyer assist platform to different firms.  

In an announcement, Austin Larsen, the principal risk analyst of Google Menace Intelligence Group, mentioned that the corporate “is conscious of greater than 200 doubtlessly affected Salesforce situations.”

After Salesforce introduced the breach, the infamous and somewhat-nebulous hacking group generally known as Scattered Lapsus$ Hunters, which incorporates the ShinyHunters gang, claimed accountability for the hacks in a Telegram channel, which TechCrunch has seen. 

The hacking group claimed accountability for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Google wouldn’t touch upon particular victims.

CrowdStrike’s spokesperson Kevin Benacci instructed TechCrunch in an announcement that the corporate is “not affected by the Gainsight situation and all buyer knowledge stays safe.” CrowdStrike confirmed to TechCrunch that it terminated a “suspicious insider” for allegedly passing data to hackers.

TechCrunch reached out to all the businesses talked about by Scattered Lapsus$ Hunters. A spokesperson for Verizon acknowledged receipt of our e-mail. 

Malwarebytes spokesperson Ashley Stewart instructed TechCrunch that the corporate’s safety group is “conscious” of the Gainsight and Salesforce points and “actively investigating the matter.”

On the time of publishing, not one of the different firms responded to requests for remark.

Hackers with the ShinyHunters group instructed TechCrunch in a web based chat that they gained entry to Gainsight due to their earlier hacking marketing campaign that focused clients of Salesloft, which offers an AI and chatbot-powered advertising platform known as Drift. In that earlier case, the hackers stole Drift authentication tokens from these clients, permitting the hackers to interrupt into their linked Salesforce situations and obtain their contents.

On the time, Gainsight confirmed it was among the many victims of that hacking marketing campaign. 

“Gainsight was a buyer of Salesloft Drift, they have been affected and due to this fact compromised completely by us,” a spokesperson for the ShinyHunters group instructed TechCrunch.

Salesforce spokesperson Nicole Aranda instructed TechCrunch that “as a matter of coverage, Salesforce doesn’t touch upon particular buyer points.”

Gainsight didn’t reply to TechCrunch’s requests for remark.

On Thursday, Salesforce mentioned there’s “no indication that this situation resulted from any vulnerability within the Salesforce platform,” successfully distancing itself from its clients’ knowledge breaches.

Gainsight has been publishing updates in regards to the incident on its incident web page. On Friday, the corporate mentioned that it’s now working with Google’s incident response unit Mandiant to assist examine the breach, that the incident in query “originated from the purposes’ exterior connection — not from any situation or vulnerability inside the Salesforce platform,” and that “a forensic evaluation is continuous as a part of a complete and unbiased overview.”

“Salesforce has briefly revoked lively entry tokens for Gainsight-connected apps as a precautionary measure whereas their investigation into uncommon exercise continues,” in keeping with Gainsight’s incident web page, which mentioned Salesforce is notifying affected clients whose knowledge was stolen. 

In its Telegram channel, Scattered Lapsus$ Hunters mentioned it plans to launch a devoted web site to extort the victims of its newest marketing campaign by subsequent week. That is the group’s modus operandi; in October, the hackers additionally revealed an identical extortion web site after stealing victims’ Salesforce knowledge within the Salesloft incident. 

The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of a number of cybercriminal gangs, together with ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering ways to trick firm workers into granting the hackers entry to their techniques or databases. In the previous few years, these teams have claimed a number of high-profile victims, similar to MGM Resorts, Coinbase, DoorDash, and extra.