- The Google Threat Intelligence Group says the Gainsight breach may have affected 200+ Salesforce instances
- The attack stems from the August 2025 Salesloft breach where OAuth tokens were stolen and misused by Scattered Lapsus$ Hunters
- SHL claims victims include Atlassian, CrowdStrike, LinkedIn and others, though none have confirmed compromise
Google security experts believe the latest Gainsight breach may have left more than 200 companies and the data they stored through Salesforce compromised.
Salesforce recently confirmed seeing “unusual activity” involving Gainsight-published applications connected to its systems. At the time, it said “some of the apps may have enabled unauthorized access to certain customers’ Salesforce data,” forcing it to revoke all active access and update tokens associated with Gainsight-published applications connected to Salesforce, and to temporarily remove the apps from its AppExchange.
The media discovered that the attack was the result of the Salesloft breach in August 2025. A group of criminals known as the “Scattered Lapsus$ Hunters” (SLH) stole OAuth tokens that Salesloft used for its Drift AI chat integration with Salesforce, giving them direct API access to customers’ Salesforce data. Among that data were Gainsight’s files as well, leading to today’s attack.
Scattered Lapsus hunters
Now, said Austin Larsen, the principal threat analyst at Google’s Threat Intelligence Group, TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances.”
The publication contacted the group via Telegram, which claimed responsibility for the attack, saying it affects Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Pakinomist and Verizon.
TechCrunch reached out to most of the companies on SHL’s list, and while some did not respond, others simply said they were looking into the allegations. No one confirmed the breach, but they also didn’t deny it outright, saying only that there is currently no evidence to support the argument.
Like the Salesloft attack, the Gainsight incident has very little to do with Salesforce, which has stated that there is “no indication that this issue was due to any vulnerability in the Salesforce platform”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
