Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Salesforce alerts users to potential data exposure via Gainsight OAuth apps

Salesforce warns that unusual activity in Gainsight-linked OAuth apps may have enabled unauthorized access to some customers’ Salesforce data. Salesforce warned of unusual activity involving Gainsight-linked OAuth apps, noting that threat actors may have used these integrations to gain unauthorized access to some customers’ Salesforce data. “Salesforce has identified unusual activity involving Gainsight-published applications connected […]

Salesforce Gainsight

Salesforce warns that unusual activity in Gainsight-linked OAuth apps may have enabled unauthorized access to some customers’ Salesforce data.

Salesforce warned of unusual activity involving Gainsight-linked OAuth apps, noting that threat actors may have used these integrations to gain unauthorized access to some customers’ Salesforce data.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” reads the notification published by the company.

The company revoked all Gainsight app tokens and pulled the apps from AppExchange after detecting suspicious external activity. Salesforce confirmed that no platform flaw was found. The activity is tied to the app’s external connection to Salesforce.

“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” continues the notification. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”

The company notifies affected customers, users needing support can contact Salesforce Help.

According to Google GTIG, the new campaign is linked to ShinyHunters, the same group that hit Salesloft Drift in August. DataBreaches.Net reported that ShinyHunters has claimed both waves and they stole data from nearly 1,000 organizations.

“Given Salesforce’s history of being targeted by ShinyHunters and its collective associates, DataBreaches reached out to ask ShinyHunters if the Gainsight campaign was their doing.”Unfortunately, yes,” their spokesperson responded, clarifying that the “Unfortunately” was as in “it’s unfortunate that this is probably the 3rd of 4th large-scale campaign against Salesforce by the same group again.” reported DataBreaches.Net. ““The next DLS will contain the data of the Salesloft and GainSight campaigns,” they stated, “which is, in total, almost 1000 organisations.”

According to the spokesperson, they plan to launch another dedicated leak site if Salesforce does not comply with them.”

Gainsight also fell victim in the earlier Salesloft attack, though its connection to the new incident remains unclear.

Gainsight said it was among the Salesloft Drift customers hit in the earlier breach, but it’s still unclear whether that incident connects to the current one. In that previous attack, hackers accessed business contact data tied to Salesforce content, including names, work emails, phone numbers, location details, licensing information, and support case text (but no attachments).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gainsight)