Salesforce cuts off access to third-party app after discovering ‘unusual activity’

Cloud giant Salesforce warned customers of a potential data breach on Wednesday evening after discovering “unusual activity” related to a third-party application called Gainsight. 

Salesforce posted a message on its website saying an investigation revealed that the activity “may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” 

Gainsight is a platform built to help customers track sales data and customer information. Salesforce said once the activity was detected, it “revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange” while the investigation continues.

“There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce,” the company said. “We have notified known affected customers directly and will continue to provide updates as appropriate.”

On a Gainsight status update page, the company said it was working with Salesforce while they investigated the incident. 

The company noted that the app was pulled from Hubspot “as a precautionary measure.”

“We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only,” Gainsight explained.

Salesforce and Gainsight did not respond to requests for comment, but the situation bears similarities to one that occurred over the summer, where another third-party app typically connected to Salesforce instances was used to steal data by a prominent cybercriminal organization. 

The same hackers behind those attacks came forward on Thursday evening, telling news outlet BleepingComputer that they were behind the breach of Gainsight and used their access to steal data from 284 organizations. 

The group told the news outlet it lost its access to Gainsight today but was able to steal some amount of information. 

The hackers, allegedly tied to the Scattered Spider and ShinyHunter cybercriminal operations, conducted dozens of high-profile, damaging cyberattacks on the insurance, retail and aviation industries. 

The group later tried to extort 39 of the victim companies but the FBI allegedly took down an extortion site the hackers created. Several members of the group were arrested and charged by law enforcement agencies in the U.S. and U.K.