Google Confirms That Data of More Than 200 Companies Was Stolen

Google has confirmed that hackers accessed information belonging to more than 200 companies that was stored on the customer relations platform Salesforce.

Salesforce acknowledged that data from some customers was taken through apps developed by Gainsight, a company that provides customer support tools, writes Lorenzo Franceschi-Bicchierai of TechCrunch. Google’s threat analysts reported awareness of over 200 potentially compromised Salesforce instances.

A hacking collective calling itself Scattered Lapsus$ Hunters claimed responsibility for the campaign in statements made on its Telegram channel.

The breach stems from Gainsight applications linked to Salesforce environments. According to the article, the hackers said they leveraged access acquired during an earlier intrusion involving Salesloft’s Drift platform, during which they stole authentication tokens from customers. 

Gainsight had previously confirmed it was affected in that earlier incident.

Salesforce stated that it cannot verify any specific customer impact, and denied that a flaw in its own systems caused the current issue. Gainsight, which has been posting updates publicly, said the compromise originated in an external connection to its applications. A forensic review was initiated with assistance from Mandiant.

Several major companies were named by the hackers as victims. Google would not verify which organizations were affected.

Some of the named companies issued statements: CrowdStrike reported no exposure but acknowledged terminating a suspicious insider; Verizon called the hackers’ claims unsubstantiated; DocuSign said its investigation found no signs of compromise but halted all Gainsight integrations. Malwarebytes and Thomson Reuters stated that they are investigating.

Lawyers should note that this incident raises questions about contractual allocations of risk in multi-vendor cloud environments and the sufficiency of monitoring obligations over interconnected applications.

Counsel may need to evaluate whether existing agreements address security failures originating from integrations rather than core platforms, and whether clients have appropriate incident response processes for situations where facts emerge gradually and depend on third-party investigations.