A breach at software provider Gainsight Inc. may have compromised the data of more than 200 Salesforce Inc. customers, including several large tech firms.

The cyberattack was disclosed by Salesforce late Wednesday. Today, a Google LLC cybersecurity researcher told TechCrunch that the search giant “is aware of more than 200 potentially affected Salesforce instances.” Atlassian Corp., Verizon Communications and GitLab Inc. are believed to be among the affected organizations.

Gainsight is owned by Vista Equity Partners, which reportedly paid $1.1 billion for the company in 2020. It sells a cloud platform that organizations can use to track their customer engagement efforts. The platform maintains a chronological database of activities such as client onboarding sessions.

Gainsight’s platform also helps companies collect customer behavior data. It tracks metrics such as the number of users who adopt a newly released application feature. The platform can enrich the data it collects with records from a company’s Salesforce instant, as well as make information available to employees via a Slack bot.

The hackers behind this week’s breach compromised the connection through which Gainsight integrates with Salesforce instances. Before disclosing the incident on Wednesday, Salesforce disabled the connection. It also temporarily removed Gainsight from its AppExchange marketplace of third-party software products.

“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” Salesforce told customers in a security advisory.

In a memo published today, Gainsight disclosed that it has hired Google’s Mandiant cybersecurity services unit to help it remediate the incident. The company was reportedly compromised during an August breach of another software provider called Salesloft Inc. That incident saw the Scattered Lapsus$ Hunters cybercrime collective breach hundreds of Salesforce environments.

The August cyberattack targeted Salesloft’s Drift chatbot. The tool uses artificial intelligence to answer questions from users who visit a company’s website, as well as estimate how likely they are to make a purchase. Drift can sync the buyer data it collects to Salesforce via an OAuth integration.

Scattered Lapsus$ Hunters compromised Drift by accessing its OAuth credentials. Salesloft users who didn’t connect the chatbot to their Salesforce instances weren’t affected.

Shortly after Salesforce disclosed the Gainsight breach on Wednesday, CrowdStrike Holdings Inc. revealed that a former employee had shared internal data with Scattered Lapsus$ Hunters. The individual, who was dismissed last month, provided the hackers with screenshots of company systems. CrowdStrike stated that the incident is unrelated to the Gainsight breach and didn’t compromise its network or customer data. 

Photo: Unsplash