Google security experts say Gainsight hacks may have left hundreds of companies affected

News
By published

The attack on Gainsight-published applications connected to Salesforce is quite big

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • Google Threat Intelligence Group says the Gainsight breach may have impacted 200+ Salesforce instances
  • Attack stems from the August 2025 Salesloft breach, where OAuth tokens were stolen and abused by Scattered Lapsus$ Hunters
  • SHL claims victims include Atlassian, CrowdStrike, LinkedIn, and others, though none have confirmed compromise

Google’s security experts believe the recent Gainsight breach may have left more than 200 companies, and the data they stored through Salesforce, compromised.

Salesforce recently confirmed seeing “unusual activity” involving Gainsight-published applications connected to its systems. At the time, it said some of the apps may have enabled unauthorized access to certain customers’ Salesforce data”, which forced it to revoke all active access and refresh token associated with Gainsight-published applications connected to Salesforce, and to temporarily remove the apps from its AppExchange.

The media discovered that the attack was the result of the August 2025 Salesloft breach. A group of criminals, known as "Scattered Lapsus$ Hunters" (SLH), stole OAuth tokens Salesloft used for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data. Among this data were Gainsight’s files as well, which led to today’s attack.

Scattered Lapsus Hunters

Now, Austin Larsen, the Principal Threat Analyst with Google’s Threat Intelligence Group, told TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances."

The publication made contact with the group via Telegram, which took responsibility for the attack, and said that it affects Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

TechCrunch reached out to most of the companies on SHL’s list, and while some did not reply, others simply said they were investigating the claims. None confirmed the breach, but they also did not outright deny it, only stating that there is currently no evidence to support the argument.

Just like the Salesloft attack, the Gainsight incident has little to do with Salesforce, which has stated there is “no indication that this issue resulted from any vulnerability in the Salesforce platform”.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.