- Gainsight apps enabled unauthorized Salesforce data access, prompting token revocation and AppExchange removal
- Incident linked to August 2025 Salesloft breach, where OAuth tokens exposed 1.5 billion records
- ShinyHunters used stolen secrets to steal Gainsight customer contact and licensing data
The Salesloft Drift incident seems to have trickled downstream into Gainsight, resulting in hundreds more organizations potentially losing their sensitive data to hackers.
Salesforce has confirmed it saw “unusual activity” involving Gainsight-published applications connected to Salesforce.
Salesforce says that some of these apps “may have enabled unauthorized access to certain customers’ Salesforce data”, which forced it to revoke all active access and refresh token associated with Gainsight-published applications connected to Salesforce. Furthermore, it temporarily removed the apps from its AppExchange.
ShinyHunters claim responsibility
“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the announcement reads. “The activity appears to be related to the app’s external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as appropriate.”
Gainsight is a company building a “customer success” platform through which businesses can manage and improve their post-sales relationships with customers (such as onboarding, adoption, retention, or renewal).
The company also builds different apps and integrations, some of which run natively inside Salesforce, while others connect through APIs.
At the same time, BleepingComputer claims the incident is actually a continuation of the August 2025 Salesloft breach.
This saw a group of criminals known as "Scattered Lapsus$ Hunters" stole OAuth tokens Salesloft used for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data.
Using the stolen tokens, they accessed around 760 Salesforce instances, and exfiltrated 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.
Now, a member of that same group, ShinyHunters, told the publication they broke into Gainsight by using secrets stolen in the Salesloft incident.
Gainsight also confirmed that attack, and said the miscreants took business contact details such as names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
