Gainsight CEO Chuck Ganapathi assured customers in a blog post published Tuesday that it was actively working with Salesforce and third-party forensic experts to respond to a supply chain attack last week that enabled hackers to access customer data.
Salesforce last week disabled its connection with Gainsight, revoking all active and refresh tokens that were connected to Gainsight-published applications.
Ganapathi said the company has been in regular contact with customers, holding town halls, and has stood up a team of specialists to manage CS instances while the Salesforce app connection is offline, according to the blog post.
“We know how critical Gainsight is to your daily operations and we personally take the responsibility for ensuring you have access to our products,” Ganapathi said in the blog post.
Ganapathi said that while Salesforce has identified compromised customer tokens, Gainsight is aware of “only a handful” of customers that had their data affected by the breach. Mandiant, the incident response arm of Google Threat Intelligence Group, has been working with the companies to investigate the breach.
Last week researchers said they were investigating more than 200 cases related to the breach, which was claimed by the hacking group ShinyHunters. It is not immediately clear how to reconcile the 200 cases with the “handful” of customers with confirmed data impacts.
Researchers said the hackers claimed to have much larger numbers of impacted cases.
The incident comes about three months after a similar attack, where Salesforce customers were targeted through their connections with Salesloft Drift. That attack was linked to the compromise of the Salesloft Drift GitHub account, which occurred between March and June of this year.
Gainsight previously confirmed that integrations with other applications, including Zendesk and Hubspot, have been paused as a precaution.
The prior Salesloft breach should have been considered a wakeup call for Salesloft and other SaaS vendors, according to Janet Worthington, senior analyst, security and risk at Forrester.
“However, the recent breach raises serious concerns, as stolen authentication tokens and other sensitive data from the earlier incident may have been exploited in the latest attack,” Worthington told Cybersecurity Dive.
Wiorthington said questions have also emerged about Gainsight’s security practices, particularly around authentication, “including the need for shorter token lifetimes, IP restrictions, and continuous API monitoring to detect and respond to threats effectively.
Editor’s note: Updates with comments from Forrester.
