DSC
Company Details
Linkedin ID:
datorama
Website:
Employees number:
95
Number of followers:
19,485
NAICS:
5112
Industry Type:
Homepage:
salesforce.com
IP Addresses:
0
Company ID:
DAT_2752265
Scan Status:
In-progress
Datorama, a Salesforce Company Company CyberSecurity Posture
salesforce.com
AI-powered marketing intelligence. Make smarter decisions by connecting and acting on your marketing data and KPIs.
Datorama, a Salesforce Company A.I CyberSecurity Scoring
DSC Risk Score (AI oriented)Between 650 and 699
DSC
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
DSC Global Score (TPRM)XXXX
DSC
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
DSC Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Salesforce (via Gainsight breach)
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Salesforce confirmed unauthorized access to customer data via a **Gainsight-managed package**, a third-party SaaS connector integrated through OAuth. The breach exploited Gainsight’s compromised credentials, allowing attackers (claimed by **ShinyHunters**) to extract data from Salesforce instances without directly hacking Salesforce’s core infrastructure. The incident mirrors a prior **Salesloft supply-chain attack**, where attackers leveraged connected apps to pivot into victims’ Salesforce environments. While Salesforce denied platform vulnerabilities, the breach highlights risks of **token theft, over-permissive OAuth scopes, and third-party app sprawl**. The hackers threatened **double extortion**, hinting at stolen data from *hundreds of organizations*, though the exact scale and data types (e.g., customer PII, corporate records) remain unverified. Gainsight’s status page acknowledged a *Salesforce connection issue* but avoided labeling it a breach. The attack vector—**compromised vendor tokens accessing Salesforce APIs**—underscores systemic risks in SaaS supply chains, where long-lived tokens and broad permissions enable lateral movement. Customers were urged to **rotate OAuth tokens, audit app permissions, and monitor logs** for anomalous exports. The incident reinforces warnings from **CISA** about cloud-to-cloud compromises via third-party integrations, with potential fallout including **reputational damage, regulatory scrutiny, and customer churn** if sensitive data was exposed.
DSC Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for DSC
Incidents vs Software Development Industry Average (This Year)
Datorama, a Salesforce Company has 132.56% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Datorama, a Salesforce Company has 56.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types DSC vs Software Development Industry Avg (This Year)
Datorama, a Salesforce Company reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — DSC (X = Date, Y = Severity)
DSC cyber incidents detection timeline including parent company and subsidiaries
DSC Company Subsidiaries
AI-powered marketing intelligence. Make smarter decisions by connecting and acting on your marketing data and KPIs.
Loading...
DSC Similar Companies
ServiceNow
ServiceNow (NYSE: NOW) makes the world work better for everyone. Our cloud-based platform and solutions help digitize and unify organizations so that they can find smarter, faster, better ways to make work flow. So employees and customers can be more connected, more innovative, and more agile. And w
Siemens Digital Industries Software
We help organizations of all sizes digitally transform using software, hardware and services from the Siemens Xcelerator business platform. Our software and the comprehensive digital twin enable companies to optimize their design, engineering and manufacturing processes to turn today's ideas into th
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the world’s most complex and
Meta
Meta's mission is to build the future of human connection and the technology that makes it possible. Our technologies help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further e
Nielsen
Nielsen shapes the world’s media and content as a global leader in audience insights, data and analytics. Through our understanding of people and their behaviors across all channels and platforms, we empower our clients with independent and actionable intelligence so they can connect and engage with
Shopify is a leading global commerce company, providing trusted tools to start, grow, market, and manage a retail business of any size. Shopify makes commerce better for everyone with a platform and services that are engineered for reliability, while delivering a better shopping experience for consu
TOTVS
Olá, somos a TOTVS! A maior empresa de tecnologia do Brasil. 🤓 Líder absoluta em sistemas e plataformas para empresas, a TOTVS possui mais de 70 mil clientes. Indo muito além do ERP, oferece tecnologia completa para digitalização dos negócios por meio de 3 unidades de negócio: - Gestão: ERPs, sol
Cisco
Cisco is the worldwide technology leader that is revolutionizing the way organizations connect and protect in the AI era. For more than 40 years, Cisco has securely connected the world. With its industry leading AI-powered solutions and services, Cisco enables its customers, partners and communities
Bosch USA
The Bosch Group’s strategic objective is to create solutions for a connected life. Bosch improves quality of life worldwide with innovative products and services that are "Invented for life" and spark enthusiasm. Podcast: http://bit.ly/beyondbosch Imprint: https://www.bosch.us/corporate-informatio
.png)
DSC CyberSecurity News
March 14, 2024 07:00 AM
Zscaler buys Israeli cybersecurity co Avalor for $350m
US cybersecurity company Zscaler has announced that it is acquiring early stage Israeli cybersecurity startup Avalor for $350 million.
January 21, 2024 08:00 AM
Zscaler in negotiations to acquire cyber startup Avalor for $250-350 million
American cybersecurity giant Zscaler is in negotiations to purchase Israeli startup Avalor for approximately $250-350 million.
April 19, 2023 07:00 AM
Avalor Emerges from Stealth with $30M to Make Sense of Security Data
TEL AVIV, Israel--(BUSINESS WIRE)--Today, Avalor – the Data Fabric for Security™ – announced the completion of a $25M Series A investment...
April 18, 2023 07:00 AM
Avalor wants to unify cybersecurity tools by aggregating data
Security has a data problem. That's according to Kfir Tishbi, who led the engineering team at Datorama, a marketing analytics company that...
June 15, 2020 07:00 AM
CHEQ launches in Australia with former Datorama executive as MD
Mick O'Brien will lead the local business for the global cybersecurity solution for online advertisers.
June 03, 2020 07:00 AM
Cybersecurity Startup Foundry Team8 Launches VC Arm, Raises $104 Million
Team8 Capital will lead seed, series A, and series B rounds for startups working in the fields of data, artificial intelligence,...
November 28, 2019 08:00 AM
Salesforce to Nearly Double Israeli R&D Operation by 2022, Says Exec
Elad Donsky, Salesforce's vice president of engineering, spoke to Calcalist about the multinational cloud company's local expansion...
June 27, 2019 07:00 AM
Salesforce to turn Israel into second-largest global innovation hub
Salesforce will significantly expand its Israel-based operations in the coming years, a company executive said on Thursday, making Israel the company's second-...
May 08, 2019 07:00 AM
Calcalist's Top 50 Startups 2019: Some Broke Out, Some Plateaued
From Datorama's exit to Gett's upcoming IPO: where are last year's star startups now?)
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
DSC CyberSecurity History Information
Official Website of Datorama, a Salesforce Company
The official website of Datorama, a Salesforce Company is http://www.datorama.com.
Datorama, a Salesforce Company’s AI-Generated Cybersecurity Score
According to Rankiteo, Datorama, a Salesforce Company’s AI-generated cybersecurity score is 689, reflecting their Weak security posture.
How many security badges does Datorama, a Salesforce Company’ have ?
According to Rankiteo, Datorama, a Salesforce Company currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Datorama, a Salesforce Company have SOC 2 Type 1 certification ?
According to Rankiteo, Datorama, a Salesforce Company is not certified under SOC 2 Type 1.
Does Datorama, a Salesforce Company have SOC 2 Type 2 certification ?
According to Rankiteo, Datorama, a Salesforce Company does not hold a SOC 2 Type 2 certification.
Does Datorama, a Salesforce Company comply with GDPR ?
According to Rankiteo, Datorama, a Salesforce Company is not listed as GDPR compliant.
Does Datorama, a Salesforce Company have PCI DSS certification ?
According to Rankiteo, Datorama, a Salesforce Company does not currently maintain PCI DSS compliance.
Does Datorama, a Salesforce Company comply with HIPAA ?
According to Rankiteo, Datorama, a Salesforce Company is not compliant with HIPAA regulations.
Does Datorama, a Salesforce Company have ISO 27001 certification ?
According to Rankiteo,Datorama, a Salesforce Company is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Datorama, a Salesforce Company
Datorama, a Salesforce Company operates primarily in the Software Development industry.
Number of Employees at Datorama, a Salesforce Company
Datorama, a Salesforce Company employs approximately 95 people worldwide.
Subsidiaries Owned by Datorama, a Salesforce Company
Datorama, a Salesforce Company presently has no subsidiaries across any sectors.
Datorama, a Salesforce Company’s LinkedIn Followers
Datorama, a Salesforce Company’s official LinkedIn profile has approximately 19,485 followers.
NAICS Classification of Datorama, a Salesforce Company
Datorama, a Salesforce Company is classified under the NAICS code 5112, which corresponds to Software Publishers.
Datorama, a Salesforce Company’s Presence on Crunchbase
Yes, Datorama, a Salesforce Company has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/datorama.
Datorama, a Salesforce Company’s Presence on LinkedIn
Yes, Datorama, a Salesforce Company maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/datorama.
Cybersecurity Incidents Involving Datorama, a Salesforce Company
As of December 04, 2025, Rankiteo reports that Datorama, a Salesforce Company has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
Datorama, a Salesforce Company has an estimated 27,188 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Datorama, a Salesforce Company ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Datorama, a Salesforce Company detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with coordination with gainsight, third party assistance with legal counsel, third party assistance with insurers, and containment measures with invalidate and rotate oauth tokens/client secrets, containment measures with enforce reconsent for affected apps, containment measures with turn off/uninstall unused integrations, containment measures with limit data export scope, and remediation measures with tighten connected app policies (ip restrictions, re-authentication, least privilege), remediation measures with analyze event monitoring (em) logs and api logs for anomalies, remediation measures with centralized token vaulting (recommended), remediation measures with conditional access policies (recommended), remediation measures with dlp controls in casb/sspm tools (recommended), and recovery measures with reauthorize integrations post-remediation, and communication strategy with customer advisories from salesforce/gainsight, communication strategy with public status page updates, and enhanced monitoring with ongoing monitoring of oauth token usage, enhanced monitoring with api log analysis..
Incident Details
Can you provide details on each incident ?
Title: Unauthorized Access to Salesforce Customer Data via Gainsight Managed Package
Description: Salesforce investigated an incident where unauthorized access to some customers’ data occurred through a Gainsight 'managed package,' a third-party connector. The breach was attributed to the exploitation of OAuth tokens linked to Gainsight-published applications, rather than a vulnerability in Salesforce’s core platform. The hacking group ShinyHunters claimed responsibility, threatening to leak stolen data if negotiations failed. The incident highlights risks associated with third-party SaaS connectors and OAuth token misuse in cloud environments.
Type: Data Breach
Attack Vector: OAuth Token ExploitationThird-Party Connector (Gainsight Managed Package)Cloud-to-Cloud Compromise
Vulnerability Exploited: Overbroad OAuth Token PermissionsLong-Lived TokensToken Sprawl
Threat Actor: ShinyHuntersScattered Lapsus$ Hunters (historically linked)
Motivation: Data TheftExtortion (Double-Extortion Technique)Financial Gain
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Compromised Gainsight Environment or Token StoreExploited OAuth Tokens for Gainsight Managed Package.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach DAT1804218112125
Data Compromised: Account data, Contact data, Opportunity data, Usage data, Potentially sensitive metadata
Systems Affected: Salesforce Instances (via Gainsight Connected Apps)Gainsight Managed Package
Operational Impact: Potential Disruption to Customer Success WorkflowsNeed for Token Rotation and App Reauthorization
Brand Reputation Impact: Potential Erosion of Trust in Salesforce/Gainsight SecurityNegative Publicity
Identity Theft Risk: ['Possible (if PII was exposed)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Account Data, Contact Data, Opportunity Data, Usage Data, Potentially Sensitive Metadata and .
Which entities were affected by each incident ?
Incident : Data Breach DAT1804218112125
Entity Name: Salesforce
Entity Type: SaaS Provider
Industry: Cloud Computing / CRM
Location: San Francisco, California, USA
Size: Large Enterprise
Customers Affected: Hundreds of organizations (claimed by ShinyHunters, unverified)
Incident : Data Breach DAT1804218112125
Entity Name: Gainsight
Entity Type: Customer Success Platform
Industry: Software
Location: San Francisco, California, USA
Size: Mid-to-Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: Software
Location: Atlanta, Georgia, USA
Size: Mid-to-Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Allianz Life
Entity Type: Financial Services
Industry: Insurance
Location: USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Bugcrowd
Entity Type: Cybersecurity
Industry: Technology
Location: USA
Size: Mid-to-Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Cloudflare
Entity Type: Web Infrastructure
Industry: Technology
Location: USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Google
Entity Type: Technology
Industry: Internet Services
Location: USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Kering
Entity Type: Luxury Goods
Industry: Retail
Location: France
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Proofpoint
Entity Type: Cybersecurity
Industry: Technology
Location: USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Qantas
Entity Type: Airline
Industry: Aviation
Location: Australia
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Stellantis (formerly Fiat Chrysler)
Entity Type: Automotive
Industry: Manufacturing
Location: Netherlands/USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: TransUnion
Entity Type: Credit Reporting
Industry: Financial Services
Location: USA
Size: Large Enterprise
Incident : Data Breach DAT1804218112125
Entity Name: Workday
Entity Type: Enterprise Cloud Applications
Industry: Software
Location: USA
Size: Large Enterprise
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach DAT1804218112125
Incident Response Plan Activated: True
Third Party Assistance: Coordination With Gainsight, Legal Counsel, Insurers.
Containment Measures: Invalidate and Rotate OAuth Tokens/Client SecretsEnforce Reconsent for Affected AppsTurn Off/Uninstall Unused IntegrationsLimit Data Export Scope
Remediation Measures: Tighten Connected App Policies (IP Restrictions, Re-Authentication, Least Privilege)Analyze Event Monitoring (EM) Logs and API Logs for AnomaliesCentralized Token Vaulting (Recommended)Conditional Access Policies (Recommended)DLP Controls in CASB/SSPM Tools (Recommended)
Recovery Measures: Reauthorize Integrations Post-Remediation
Communication Strategy: Customer Advisories from Salesforce/GainsightPublic Status Page Updates
Enhanced Monitoring: Ongoing Monitoring of OAuth Token UsageAPI Log Analysis
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Coordination with Gainsight, Legal Counsel, Insurers, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach DAT1804218112125
Type of Data Compromised: Account data, Contact data, Opportunity data, Usage data, Potentially sensitive metadata
Sensitivity of Data: Moderate to High (depends on exposed fields)
Personally Identifiable Information: Potential (if PII was included in exposed data)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Tighten Connected App Policies (IP Restrictions, Re-Authentication, Least Privilege), Analyze Event Monitoring (EM) Logs and API Logs for Anomalies, Centralized Token Vaulting (Recommended), Conditional Access Policies (Recommended), DLP Controls in CASB/SSPM Tools (Recommended), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by invalidate and rotate oauth tokens/client secrets, enforce reconsent for affected apps, turn off/uninstall unused integrations, limit data export scope and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach DAT1804218112125
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Reauthorize Integrations Post-Remediation, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach DAT1804218112125
Lessons Learned: Third-party SaaS connectors can serve as attack vectors even if the core platform is secure., OAuth token sprawl and overbroad permissions increase risk in multi-tenant cloud environments., Token theft and cloud-to-cloud compromise are significant threats, as warned by CISA., Strict scoping, short-lived tokens, and ongoing monitoring are critical countermeasures., Recertification of connected apps and centralized token management are essential for security.
What recommendations were made to prevent future incidents ?
Incident : Data Breach DAT1804218112125
Recommendations: Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.Audit and inventory all third-party connected apps, especially those with broad permissions., Enforce least-privilege access and short-lived tokens for OAuth integrations., Implement conditional access policies and DLP controls for SaaS connectors., Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Disable or limit unused integrations to reduce the attack surface., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed., Educate teams on risks associated with SaaS supply chain attacks and token hygiene.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Third-party SaaS connectors can serve as attack vectors even if the core platform is secure.,OAuth token sprawl and overbroad permissions increase risk in multi-tenant cloud environments.,Token theft and cloud-to-cloud compromise are significant threats, as warned by CISA.,Strict scoping, short-lived tokens, and ongoing monitoring are critical countermeasures.,Recertification of connected apps and centralized token management are essential for security.
References
Where can I find more information about each incident ?
Incident : Data Breach DAT1804218112125
Source: Salesforce Customer Notice
Incident : Data Breach DAT1804218112125
Source: Gainsight Public Status Page
Incident : Data Breach DAT1804218112125
Source: DataBreaches.net (ShinyHunters Claim)
Incident : Data Breach DAT1804218112125
Source: CISA Warnings on Token Theft
Incident : Data Breach DAT1804218112125
Source: Verizon Data Breach Investigations Report
Incident : Data Breach DAT1804218112125
Source: IBM Cost of a Data Breach Study
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Salesforce Customer Notice, and Source: Gainsight Public Status Page, and Source: DataBreaches.net (ShinyHunters Claim), and Source: CISA Warnings on Token Theft, and Source: Verizon Data Breach Investigations Report, and Source: IBM Cost of a Data Breach Study.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach DAT1804218112125
Investigation Status: Ongoing (Salesforce and Gainsight investigating; extent of access and data exposure unclear)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customer Advisories From Salesforce/Gainsight and Public Status Page Updates.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach DAT1804218112125
Stakeholder Advisories: Monitor Updates From Salesforce And Gainsight, Prepare For Potential Reauthorization Of Integrations.
Customer Advisories: Check inventory of Gainsight-related appsVerify app scopes and installed usersRotate OAuth tokens and client secrets
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Monitor Updates From Salesforce And Gainsight, Prepare For Potential Reauthorization Of Integrations, Check Inventory Of Gainsight-Related Apps, Verify App Scopes And Installed Users, Rotate Oauth Tokens And Client Secrets and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach DAT1804218112125
Entry Point: Compromised Gainsight Environment Or Token Store, Exploited Oauth Tokens For Gainsight Managed Package,
High Value Targets: Salesforce Customer Data (Accounts, Contacts, Opportunities),
Data Sold on Dark Web: Salesforce Customer Data (Accounts, Contacts, Opportunities),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach DAT1804218112125
Root Causes: Overbroad Oauth Token Permissions For Third-Party Apps, Long-Lived Tokens Without Rotation, Insufficient Monitoring Of Connected App Activity, Token Sprawl In Multi-Tenant Cloud Environments,
Corrective Actions: Enforce Least-Privilege Access And Token Scoping, Implement Short-Lived Tokens And Regular Rotation, Enhance Logging And Monitoring For Connected Apps, Centralize Token Management With Vaulting Solutions, Conduct Recertification Of All Connected Apps, Limit Data Export Capabilities For Integrations,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Coordination With Gainsight, Legal Counsel, Insurers, , Ongoing Monitoring Of Oauth Token Usage, Api Log Analysis, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enforce Least-Privilege Access And Token Scoping, Implement Short-Lived Tokens And Regular Rotation, Enhance Logging And Monitoring For Connected Apps, Centralize Token Management With Vaulting Solutions, Conduct Recertification Of All Connected Apps, Limit Data Export Capabilities For Integrations, .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an ShinyHuntersScattered Lapsus$ Hunters (historically linked).
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Account Data, Contact Data, Opportunity Data, Usage Data, Potentially Sensitive Metadata and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Salesforce Instances (via Gainsight Connected Apps)Gainsight Managed Package.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was coordination with gainsight, legal counsel, insurers, .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Invalidate and Rotate OAuth Tokens/Client SecretsEnforce Reconsent for Affected AppsTurn Off/Uninstall Unused IntegrationsLimit Data Export Scope.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Potentially Sensitive Metadata, Contact Data, Usage Data, Account Data and Opportunity Data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Recertification of connected apps and centralized token management are essential for security.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Monitor Event Monitoring (EM) logs and API logs for abnormal activity., Educate teams on risks associated with SaaS supply chain attacks and token hygiene., Audit and inventory all third-party connected apps, especially those with broad permissions., Coordinate with vendors (e.g., Gainsight) for indicators of compromise and remediation steps., Implement conditional access policies and DLP controls for SaaS connectors., Enforce least-privilege access and short-lived tokens for OAuth integrations., Engage legal, insurance, and law enforcement stakeholders if sensitive data is exposed. and Disable or limit unused integrations to reduce the attack surface..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Salesforce Customer Notice, CISA Warnings on Token Theft, IBM Cost of a Data Breach Study, Verizon Data Breach Investigations Report, Gainsight Public Status Page and DataBreaches.net (ShinyHunters Claim).
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Salesforce and Gainsight investigating; extent of access and data exposure unclear).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Monitor updates from Salesforce and Gainsight, Prepare for potential reauthorization of integrations, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Check inventory of Gainsight-related appsVerify app scopes and installed usersRotate OAuth tokens and client secrets.
Initial Access Broker
.png)
Latest Global CVEs (Not Company-Specific)
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Risk Information
cvss3
Base: 6.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
Description
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Risk Information
cvss4
Base: 9.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Risk Information
cvss4
Base: 5.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=datorama' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
