- Gainsight apps enabled unauthorized Salesforce data access, requested token revocation and AppExchange removal
- Incident linked to August 2025 Salesloft breach where OAuth tokens exposed 1.5 billion records
- ShinyHunters used stolen secrets to steal Gainsight customer contact and license data
The Salesloft Drift incident appears to have seeped downstream into Gainsight, resulting in hundreds of organizations potentially losing their sensitive data to hackers.
Salesforce has confirmed that it saw “unusual activity” involving Gainsight-published applications connected to Salesforce.
Salesforce says some of these apps “may have enabled unauthorized access to certain customers’ Salesforce data,” forcing it to revoke all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It also temporarily removed apps from its AppExchange.
ShinyHunters takes responsibility
“There is no indication that this issue was caused by any vulnerability in the Salesforce platform,” the announcement reads. “The activity appears to be related to the app’s external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as needed.”
Gainsight is a company that builds a “customer success” platform through which companies can manage and improve their post-sale relationships with customers (such as onboarding, adoption, retention or renewal).
The company also builds various apps and integrations, some of which run natively within Salesforce, while others connect via APIs.
At the same time, Bleeping Computer claims that the incident is actually a continuation of the August 2025 Salesloft breach.
This saw a group of criminals known as the “Scattered Lapsus$ Hunters” steal OAuth tokens that Salesloft used for its Drift AI chat integration with Salesforce, giving them direct API access to customers’ Salesforce data.
Using the stolen tokens, they gained access to around 760 Salesforce instances and exfiltrated 1.5 billion records, including passwords, AWS keys and Snowflake tokens.
Now, a member of the same group, ShinyHunters, told the publication that they broke into Gainsight using secrets stolen in the Salesloft incident.
Gainsight also confirmed this attack and said the criminals took business contact information such as names, company email addresses, phone numbers, regional/locality details, license information and support case content.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
