{"id":700490,"date":"2025-11-22T18:55:17","date_gmt":"2025-11-22T15:55:17","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach-2\/"},"modified":"2025-11-22T18:55:17","modified_gmt":"2025-11-22T15:55:17","slug":"google-says-hackers-stole-data-from-200-companies-following-gainsight-breach-2","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach-2\/","title":{"rendered":"Google says hackers stole data from 200 companies following Gainsight breach"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3d818ad7d2b\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3d818ad7d2b\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach-2\/#Contact_Us\" >Contact Us<\/a><\/li><\/ul><\/nav><\/div>\n<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack.<\/p>\n<p class=\"wp-block-paragraph\">On Thursday, Salesforce disclosed a breach of \u201ccertain customers\u2019 Salesforce data\u201d \u2014 without naming affected companies \u2014 that was stolen via <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>s published by Gainsight, which provides a customer support platform to other companies.\u00a0\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company \u201cis aware of more than 200 potentially affected Salesforce instances.\u201d<\/p>\n<p class=\"wp-block-paragraph\">After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.<\/p>\n<div class=\"article-block block--callout block--right has-green-500-background-color\">\n<h4 class=\"block--callout__title\"><span class=\"ez-toc-section\" id=\"Contact_Us\"><\/span>Contact Us<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\t\t\tDo you have more information about these Salesforce and Gainsight data breaches? Or other data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.\t\t<\/p><\/div>\n<p class=\"wp-block-paragraph\">Google would not comment on specific victims.<\/p>\n<p class=\"wp-block-paragraph\">CrowdStrike\u2019s spokesperson Kevin Benacci told TechCrunch in a statement that the company is \u201cnot affected by the Gainsight issue and all customer data remains secure.\u201d CrowdStrike confirmed to TechCrunch that it terminated a \u201csuspicious insider\u201d for allegedly passing information to hackers.<\/p>\n<p class=\"wp-block-paragraph\">TechCrunch reached out to all the companies mentioned by Scattered Lapsus$ Hunters. <\/p>\n<p class=\"wp-block-paragraph\">Verizon spokesperson Kevin Israel said in a statement that \u201cVerizon is aware of the unsubstantiated claim by the threat actor,\u201d without providing evidence for this claim. <\/p>\n<p class=\"wp-block-paragraph\">Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company\u2019s security team is \u201caware\u201d of the Gainsight and Salesforce issues and \u201cactively investigating the matter.\u201d<\/p>\n<p class=\"wp-block-paragraph\">A spokesperson for Thomson Reuters said the company is \u201cactively investigating.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Michael Adams, the chief information security officer at Docusign told TechCrunch in a statement that \u201cfollowing a comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time.\u201d However, Adams said that, \u201cout of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows.\u201d<\/p>\n<p class=\"wp-block-paragraph\">At the time of publishing, none of the other companies responded to requests for comment.<\/p>\n<p class=\"wp-block-paragraph\">Hackers with the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight thanks to their previous hacking campaign that targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their linked Salesforce instances and download their contents.<\/p>\n<p class=\"wp-block-paragraph\">At the time, Gainsight <a rel=\"nofollow\" target=\"_blank\" href=\"http:\/\/gainsight.com\/security\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">confirmed<\/a> it was among the victims of that hacking campaign.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cGainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us,\u201d a spokesperson for the ShinyHunters group told TechCrunch.<\/p>\n<p class=\"wp-block-paragraph\">Salesforce spokesperson Nicole Aranda told TechCrunch that \u201cas a matter of policy, Salesforce does not comment on specific customer issues.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Gainsight did not respond to TechCrunch\u2019s requests for comment.<\/p>\n<p class=\"wp-block-paragraph\">On Thursday, Salesforce <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/status.salesforce.com\/generalmessages\/20000233\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">said<\/a> there is \u201cno indication that this issue resulted from any vulnerability in the Salesforce platform,\u201d effectively distancing itself from its customers\u2019 data breaches.<\/p>\n<p class=\"wp-block-paragraph\">Gainsight has been publishing updates about the incident <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/status.gainsight.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">on its incident page<\/a>. On Friday, the company said that it is now working with Google\u2019s incident response unit Mandiant to help investigate the breach, that the incident in question \u201coriginated from the applications\u2019 external connection \u2014 not from any issue or vulnerability within the Salesforce platform,\u201d and that \u201ca forensic analysis is continuing as part of a comprehensive and independent review.\u201d<\/p>\n<p class=\"wp-block-paragraph\">\u201cSalesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues,\u201d according to Gainsight\u2019s incident page, which said Salesforce is notifying affected customers whose data was stolen.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is the group\u2019s modus operandi; in October, the hackers also published a similar extortion website after stealing victims\u2019 Salesforce data in the Salesloft incident.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of several cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$, whose members use <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a> engineering tactics to trick company employees into granting the hackers access to their systems or databases. In the last few years, these groups have claimed several high-profile victims, such as MGM Resorts, Coinbase, DoorDash, and more.<\/p>\n<p class=\"wp-block-paragraph\"><em>This story was updated to include comments from Docusign, Thomson Reuters, and Verizon.<\/em><\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2025\/11\/21\/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. On Thursday, Salesforce disclosed a breach of \u201ccertain customers\u2019 Salesforce data\u201d \u2014 without naming affected companies \u2014 that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.\u00a0\u00a0&#8230;<\/p>\n","protected":false},"author":1,"featured_media":700491,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2024\/06\/GettyImages-1125951338.jpg?resize=1200,900","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[152216,70375,72458,159715,70944,70513,130762,159714,152844,72287,159716],"class_list":["post-700490","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-cyberattack","tag-cybersecurity","tag-data-breach","tag-gainsight","tag-hackers","tag-hacking","tag-salesforce","tag-scattered-lapsus-hunters","tag-scattered-spider","tag-security","tag-shinyhunters"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/700490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=700490"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/700490\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/700491"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=700490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=700490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=700490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}