- Google Threat Intelligence Group says the Gainsight breach may have impacted 200+ Salesforce instances
- Attack stems from the August 2025 Salesloft breach, where OAuth tokens were stolen and abused by Scattered Lapsus$ Hunters
- SHL claims victims include Atlassian, CrowdStrike, LinkedIn, and others, though none have confirmed compromise
Google’s security experts believe the recent Gainsight breach may have left more than 200 companies, and the data they stored through Salesforce, compromised.
Salesforce recently confirmed seeing “unusual activity” involving Gainsight-published applications connected to its systems. At the time, it said some of the apps may have enabled unauthorized access to certain customers’ Salesforce data”, which forced it to revoke all active access and refresh token associated with Gainsight-published applications connected to Salesforce, and to temporarily remove the apps from its AppExchange.
The media discovered that the attack was the result of the August 2025 Salesloft breach. A group of criminals, known as "Scattered Lapsus$ Hunters" (SLH), stole OAuth tokens Salesloft used for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data. Among this data were Gainsight’s files as well, which led to today’s attack.
Scattered Lapsus Hunters
Now, Austin Larsen, the Principal Threat Analyst with Google’s Threat Intelligence Group, told TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances."
The publication made contact with the group via Telegram, which took responsibility for the attack, and said that it affects Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
TechCrunch reached out to most of the companies on SHL’s list, and while some did not reply, others simply said they were investigating the claims. None confirmed the breach, but they also did not outright deny it, only stating that there is currently no evidence to support the argument.
Just like the Salesloft attack, the Gainsight incident has little to do with Salesforce, which has stated there is “no indication that this issue resulted from any vulnerability in the Salesforce platform”.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
