All news with #salesforce tag

Amazon Connect adds AI agent assistance and summarization

🤖 Amazon Connect now offers real-time AI agent assistance and automated contact summarization for Salesforce Contact Center with Amazon Connect (SCC-AC). The capability surfaces customer CRM records and knowledge-base articles to AI agents across voice and chat and provides agents with live transcripts and contextual recommendations. Supervisors gain enhanced call monitoring inside Salesforce, and automated post-contact summaries help agents quickly update cases, reducing administrative burden. Administrators can deploy and configure the integrated solution in minutes; it is available in all AWS Regions where Amazon Connect operates.

Gainsight Expands Customer Impact After Salesforce Alert

🔒 Gainsight disclosed that suspicious activity affecting its Salesforce-connected applications has expanded beyond an initial three-customer list provided by Salesforce, with the company saying it presently knows of "only a handful" of customers whose data were affected. Salesforce revoked access and refreshed tokens for impacted Gainsight-published apps after detecting "unusual activity" claimed by the ShinyHunters group. Several vendors suspended integrations while investigations continue; Gainsight advised rotating credentials, resetting non‑SSO passwords, and reauthorizing connectors as preventive measures.

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

AWS Secrets Manager Introduces Managed External Secrets

🔐 AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.

OAuth Token Compromise Hits Salesforce Ecosystem Again

🔐 Salesforce disclosed unauthorized access tied to Gainsight-published apps using OAuth integrations, saying it revoked all active access and refresh tokens and temporarily removed those apps from the AppExchange while investigators continue their work. Gainsight confirmed the incident, has engaged Mandiant for forensics, and revoked related connector access across other marketplaces. Google Threat Intelligence linked the activity to actors associated with ShinyHunters, echoing prior token-abuse campaigns against Salesloft and Drift. The incident highlights supply-chain risks in SaaS OAuth integrations and reinforces urgent recommendations to audit and revoke suspicious tokens.

Gainsight Supply-Chain Hack Disrupts Salesforce Apps

⚠️ On November 20, customer support platform provider Gainsight reported connection failures after Salesforce revoked active access for the Gainsight SFDC Connector following detection of unusual activity. Salesforce temporarily removed all Gainsight-published apps from its AppExchange, citing potential unauthorized access via the app's external connection rather than a Salesforce platform vulnerability. Gainsight also disabled integrations with HubSpot and Zendesk, and engaged Mandiant to support forensic work. A criminal collective claiming affiliation with Lapsus$/Scattered Spider said it was responsible and threatened wider data leaks and a RaaS offering.

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

Salesforce Probes Customer Data Theft via Gainsight Apps

🔒 Salesforce says it revoked active access and refresh tokens tied to Gainsight-published applications after detecting unusual activity that may have enabled unauthorized access to some customers' CRM data. The company says the issue stems from the app's external connection rather than a vulnerability in Salesforce itself and temporarily removed those apps from the AppExchange. Affected customers have been notified and can contact Salesforce Help for assistance.

Vietnam Actors Use Fake Job Postings to Hijack Ad Accounts

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

FBI Seizes BreachForums Servers as Salesforce Deadline Nears

🔒 The FBI, US Department of Justice and French authorities seized the BreachForums domain and parts of its backend on Oct. 9, disrupting infrastructure tied to an alliance of threat actors including ShinyHunters, Scattered Spider and LAPSUS$. The action followed threats to publish alleged Salesforce customer data unless a ransom was paid by Oct. 10. Although the primary forum domain now displays a takedown notice, a separate leak site remains active and the extortion campaign appears to be continuing. Experts advise organizations to audit Salesforce configurations, enable OAuth app governance, and enforce token and session hygiene immediately.

BreachForums Seized; Hackers Promise Salesforce Leak

🚨 Law enforcement in the United States and France have seized domains tied to the BreachForums hacking forum, and the seized site now displays an official takedown banner pointing victims to an IC3 subdomain. Observers caution the action may be largely symbolic because a dark‑web instance remains active and no public arrests of administrators were confirmed. A collective calling itself Scattered LAPSUS$ Hunters says it will still release one billion records allegedly taken from Salesforce customers on 10 October 2025, while Salesforce has reportedly told clients it will not pay a ransom.

it-sa Highlights: Vendor Security and Access Solutions

🔒 At it-sa vendors unveiled a slate of security, privacy and access offerings aimed at strengthening enterprise controls. Salesforce expanded its AI Agentforce into the Security Center and Privacy Center to automate threat detection, incident remediation and compliance prioritization. Ivanti reengineered Connect Secure 25.x with a security‑by‑design architecture including SELinux, WAF, secure boot and disk encryption. Additional launches included Samsung Knox mobile credentials, KOBIL mPower and a Zurich/Deutsche Telekom cyber insurance plus MDR integration.

FBI Seizes BreachForums Portal Used in Salesforce Extortion

🔒 The FBI, in coordination with French authorities, seized BreachForums domains used by the ShinyHunters group as a portal for leaking corporate data and facilitating extortion. Nameservers were updated on October 9 and law enforcement reports they obtained backups and backend servers dating back to 2023, though the actors' dark‑web leak site remains online. ShinyHunters confirmed the takeover via a PGP‑signed Telegram post and warned the Salesforce campaign will continue.

Salesforce launches AI security and compliance agents

🔒 Salesforce introduced two AI agents on its Agentforce platform that monitor security activity and streamline compliance workflows for the Security Center and Privacy Center. The security agent analyzes event logs to detect anomalous behavior, accelerates investigations by assembling context and remediation plans, and can autonomously freeze or isolate suspicious accounts when authorized. The privacy agent maps metadata and policies against frameworks like GDPR and CCPA, surfaces exposures, and can reclassify or apply erasure policies to reduce compliance risk.

Salesforce Refuses Ransom After Massive Data Theft

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

Trinity of Chaos Launches TOR Data Leak Site, Exposes Data

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.

Extortion Gang Reveals Alleged Salesforce Victims List

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.