The ShinyHunters hacking group has claimed responsibility for a series of recent high-profile breaches. These attacks have caused disruptions for over 200 companies– household names such as Atlassian, CrowdStrike, Docusign, and yes, Verizon itself. Recent attacks have caused widespread alarm, from the impact on the security of personal data to what it could mean for affected businesses and their customers.
The breaches seem to have stemmed from the theft of sensitive data via hacked authentication channels. ShinyHunters group selectively targeted Drift customers and stole their authentication tokens. This advance allowed them to jump into connected Salesforce instances and pull down other useful data. This tactic is reminiscent of the group’s previous 2020 attacks where the group created extortion sites following data theft. Among other recent attacks, they breached Salesloft in a compromise.
Salesforce has admitted that hackers stole data from some of its customers. The leak happened through apps published by Gainsight, a customer support platform. In response to the breach, Salesforce stated that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform.” A spokesperson for Gainsight further explained that the breach came from outside connections, not internal weaknesses.
While investigations into the breach are still ongoing, Google’s incident response unit Mandiant is in the midst of examining the breach. The Google Threat Intelligence Group is currently aware of more than 200 potentially affected Salesforce instances linked to this incident.
Michael Adams, chief infosec officer at Docusign gave us the high level view on an evolving situation. He reiterated that after an extensive internal investigation, there are no signs of a data breach on their end.
“Following a comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time.” – Michael Adams, Docusign
Adams stressed that Docusign has gone above and beyond with precautionary measures. For instance, they have cut off all integrations with Gainsight and contained associated data flows to avoid additional complexities.
Besides Docusign, other notorious companies that have been attacked this way include ActiveCampaign and Mailchimp. The ShinyHunters collective has breached data from MGM Resorts, Coinbase, and DoorDash, among many others. Acknowledging the allegations, a Verizon spokesman praised the hackers’ work. They were unable to ascertain any effect on the company’s systems.
“Verizon is aware of the unsubstantiated claim by the threat actor.” – Verizon spokesperson Kevin Israel
The ShinyHunters group has developed a demonstrable modus operandi of creating extortion websites only after they’ve successfully infiltrated and extracted victims’ data. This playbook spooked the American cybersecurity community. It underscores the continuing and urgent need for any company working with sensitive information to take strong security precautions.
Malwarebytes’ security team is investigating the Gainsight and Salesforce problems. They are separately working to understand these developments. Their participation underscores a new realization that these breaches are eroding consumer trust and the integrity of overall cybersecurity and what that really means.
Austin Larsen, a principal threat analyst with Google’s Threat Intelligence Group, noted how severe these attacks are. He called on all organizations that use third-party applications to exercise increased caution.
Amidst these security challenges, Salesforce’s spokesperson Nicole Aranda reiterated the company’s policy regarding customer issues. She told us that, as a matter of policy, Salesforce does not comment on ongoing customer matters.
“As a matter of policy, Salesforce does not comment on specific customer issues.” – Nicole Aranda, Salesforce