Salesforce has released a new security advisory informing customers that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.”
According to Salesforce, this activity may have enabled unauthorized access to certain customers’ Salesforce data through Gainsight, a customer service management software.
What’s Happened?
In the latest Trust Status update, Salesforce has detailed that it is investigating suspicious activity involving applications published through Gainsight, as it may have led to a possible data breach. These apps are installed and managed directly by customers.
An update on Gainsight’s Community forum has revealed that Salesforce detected API calls using the Gainsight Connected App coming from non-whitelisted IPs. At present, only three orgs are known to have been impacted, and there is no further indication of a wider compromise.
Jaime Blasco, the cofounder of Nudge Security, said that this kind of breach forms part of a new wave of security attacks.
“This follows the same pattern we saw in the Drift/Salesloft incident: attackers don’t need to breach the core platform when they can compromise an integration with privileged access,” he wrote on LinkedIn. “Modern SaaS security has to include continuous visibility and governance over every app, integration, and token connected to your environment. This is the new perimeter.”
Brian Soby, the CTO and co-founder at AppOmni, shares similar sentiments.
“The Gainsight breach closely resembles other SaaS supply-chain compromises we’ve seen in recent years,” he told Salesforce Ben. “Given how successful those earlier attacks were, it isn’t surprising that attackers reused similar techniques.”
“Adding to the challenge, Salesforce has stated that it deleted tokens issued to Gainsight. While well-intentioned, that action also removed the records customers rely on to determine which of their users had granted OAuth access to Gainsight, which is the first step in conducting a proper investigation.”
“More broadly, this incident highlights persistent weaknesses in SaaS supply-chain security. The scale of the Gainsight compromise underscores that many organizations did not apply the lessons they should have learned from Drift, leaving large portions of their SaaS supply chain exposed.”
Revoked Access
As a result, the CRM giant has now revoked all active access and refresh tokens associated with Gainsight-published apps connected to it and temporarily removed those applications from the AppExchange whilst it continues to investigate the matter.
Very much like the data breaches earlier this year, Salesforce insists that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform”, and instead appears to be related specifically to the app’s external connection.
Gainsight has said on its website that an internal investigation is underway to work out the root cause of the problem. Mandiant, a cybersecurity company, has been called in to assist in the investigation.
The CSM software also mentioned that access to Gainsight apps may have been restricted or revoked for other providers like HubSpot and Zendesk as a precautionary measure.
What Do I Need to Do?
So far, no new information outside of the advisory has been released, and Salesforce has expressed that it has already notified affected customers directly and will continue to provide updates as necessary.
Final Thoughts
There is no evidence that this potential breach will have the same impact as the Salesloft Drift breach, but we will continue to report as we receive more information.
Have you been affected by this story? Reach out to us anonymously or not at tips@salesforceben.com.
