Salesforce says customer data may be exposed in Gainsight incident - "unusual activity" being probed

News
By published

Effects of the Salesloft breach are still being felt

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • Gainsight apps enabled unauthorized Salesforce data access, prompting token revocation and AppExchange removal
  • Incident linked to August 2025 Salesloft breach, where OAuth tokens exposed 1.5 billion records
  • ShinyHunters used stolen secrets to steal Gainsight customer contact and licensing data

The Salesloft Drift incident seems to have trickled downstream into Gainsight, resulting in hundreds more organizations potentially losing their sensitive data to hackers.

Salesforce has confirmed it saw “unusual activity” involving Gainsight-published applications connected to Salesforce.

Salesforce says that some of these apps “may have enabled unauthorized access to certain customers’ Salesforce data”, which forced it to revoke all active access and refresh token associated with Gainsight-published applications connected to Salesforce. Furthermore, it temporarily removed the apps from its AppExchange.

ShinyHunters claim responsibility

“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the announcement reads. “The activity appears to be related to the app’s external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as appropriate.”

Gainsight is a company building a “customer success” platform through which businesses can manage and improve their post-sales relationships with customers (such as onboarding, adoption, retention, or renewal).

The company also builds different apps and integrations, some of which run natively inside Salesforce, while others connect through APIs.

At the same time, BleepingComputer claims the incident is actually a continuation of the August 2025 Salesloft breach.

This saw a group of criminals known as "Scattered Lapsus$ Hunters" stole OAuth tokens Salesloft used for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data.

Using the stolen tokens, they accessed around 760 Salesforce instances, and exfiltrated 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.

Now, a member of that same group, ShinyHunters, told the publication they broke into Gainsight by using secrets stolen in the Salesloft incident.

Gainsight also confirmed that attack, and said the miscreants took business contact details such as names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.