Salesforce: Some Customer Data Accessed via Gainsight Breach
None
<p>The highly publicized data breaches earlier this fall of Salesforce customers that was linked to Salesloft’s Drift application is coming back to haunt the cloud services giant.</p><p>Salesforce executives <a href="https://status.salesforce.com/generalmessages/20000233" target="_blank" rel="noopener">reported</a> late this week that they had identified “unusual activity” connected to applications published by Gainsight – whose platform helps companies manage their customer relationships – connected to Salesforce, and installed and managed directly by customers.</p><p>“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” they wrote in a notice.</p><p>At the time of the <a href="https://securityboulevard.com/2025/09/unc6395-hackers-accessed-systems-via-a-github-account-salesloft-says/" target="_blank" rel="noopener">Salesloft-related breaches</a>, Gainsight confirmed that it was one of the companies compromised by the <a href="https://securityboulevard.com/2025/09/unc6395-hackers-accessed-systems-via-a-github-account-salesloft-says/" target="_blank" rel="noopener">Salesloft-related campaign</a>, which involved the threat group ShinyHunters using stolen OAuth tokens for the Drift chatbot application, which was integrated with Salesforce.</p><p><a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift" target="_blank" rel="noopener">Starting in August</a>, the bad actors were able to steal sensitive information, such as passwords, Snowflake tokens, and Amazon Web Services (AWS) access keys, from Salesforce customers’ instances.</p><h3>‘Like a Russian Nesting Doll’</h3><p>“This is like a Russian nesting doll: Salesloft gets breached, which exposes Gainsight, which compromises 200-plus Salesforce customers,” said Denis Calderone, co-founder, chief operating officer, and chief revenue officer for AI solutions and cybersecurity company Suzu Labs. “You might know you’re using Gainsight, but do you know Gainsight integrates with Salesloft? That visibility gap is where these cascading breaches live. We’ve been warning clients about this scenario for years, that the SaaS integration trust chain is almost always longer and more complex than anyone realizes.”</p><p>Ferhat Dikbiyik, chief research and intelligence officer at security firm Black Kite, echoed Calderone, noting the Salesloft Drift campaign and Gainsight in response disconnecting the Drift app and confirming that only data at the customer relationship management (CRM) layer – including business contact information and some Salesforce case text, had been accessed.</p><p>“Fast-forward to today, and we’re seeing the same playbook again: OAuth tokens + over-permissioned apps + integrated vendors = a perfect attack chain,” Dikbiyik said. “This isn’t about one vendor or one platform. This is about how modern SaaS ecosystems operate: wide, connected, and often over-trusted.”</p><h3>Hundreds of Salesforce Users Affected</h3><p>Obsidian Security analysts wrote that more than 700 companies were impacted by the Salesloft campaign, and <a href="https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/" target="_blank" rel="noopener">almost another 300</a> reportedly have been hit through the Gainsight supply chain attack.</p><p>In its notice, Salesforce said that once the malicious activity was detected, it revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed the applications from its AppExchange cloud marketplace while the investigation into the incident continues.</p><p>“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the vendor wrote, adding that it’s notified known customers that have been affected. “The activity appears to be related to the app’s external connection to Salesforce.”</p><h3>Gainsight Yanks App from HubSpot</h3><p>For its part, Gainsight said Google’s Mandiant unit is helping with the investigation, adding that its app has been <a href="https://status.gainsight.com/incidents/gvng0kly8vwf" target="_blank" rel="noopener">pulled temporarily from the HubSpot Marketplace</a> and its Zendesk connector access has been revoked. The decision to pull the app from HubSpot was a “precautionary measure. This may also impact OAuth access for customer connections while the review is taking place. We will work with HubSpot on re-listing after thorough review.<br>No suspicious activity related to HubSpot has been observed at this point.”</p><p>Austin Larsen, principal threat analyst for Google Threat Intelligence Group (GTIG), wrote in a <a href="https://www.linkedin.com/in/austin-larsen/recent-activity/all/" target="_blank" rel="noopener">LinkedIn post</a> that the unit had “observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances. … Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations. We saw this recently with the campaign targeting Salesloft Drift, and we are seeing it again now.”</p><h3>ShinyHunters Threatens More</h3><p>DataBreaches.net <a href="https://databreaches.net/2025/11/20/threat-actors-have-reportedly-launched-yet-another-campaign-involving-an-application-connected-to-salesforce/" target="_blank" rel="noopener">communicated with a spokesperson</a> for ShinyHunters, who confirmed the threat group was responsible for the Gainsight campaign and said that “it’s unfortunate that this is probably the 3rd of 4th large-scale campaign against Salesforce by the same group again.”</p><p>The spokesperson also said the group plans to launch another dedicated leak sight if Salesforce doesn’t comply with demands it gives the company.</p><p>DataBreaches.net wrote that the spokesperson said “The next DLS will contain the data of the Salesloft and Gainsight campaigns, which is, in total, almost 1000 organisations. Only actual companies, mainly Fortune 500 will be listed or things I feel would be worth it. From the Gainsight campaign the large companies were: Verizon, Gitlab, F5, Sonicwall, and others.”</p><h3>A Long Tail</h3><p>Defenders need to understand that the Gainsight campaign shows how easily one campaign can lead to others, according to cybersecurity pros.</p><p>“This incident demonstrates how long the tail of a supply-chain vulnerability can be,” said John Carberry, chief marketing officer and “solution sleuth” at cybersecurity firm Xcape. “Technically, Salesforce did the right thing by removing all Gainsight-related tokens and removing the apps from the AppExchange, but for customers, this highlights an unsettling reality. Even if the core platform isn’t vulnerable, over-privileged third-party apps can still gain access to your CRM crown jewels.”</p><p>Lydia Zhang, co-founder and president Ridge Security Technology, said that “the message for defenders is that patching the initially ‘broken’ door isn’t enough. You must thoroughly inspect every part of your environment to ensure the attackers cannot reuse access from a prior breach to open new doors.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/salesforce-some-customer-data-accessed-via-gainsight-breach/" data-a2a-title="Salesforce: Some Customer Data Accessed via Gainsight Breach"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsalesforce-some-customer-data-accessed-via-gainsight-breach%2F&linkname=Salesforce%3A%20Some%20Customer%20Data%20Accessed%20via%20Gainsight%20Breach" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsalesforce-some-customer-data-accessed-via-gainsight-breach%2F&linkname=Salesforce%3A%20Some%20Customer%20Data%20Accessed%20via%20Gainsight%20Breach" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsalesforce-some-customer-data-accessed-via-gainsight-breach%2F&linkname=Salesforce%3A%20Some%20Customer%20Data%20Accessed%20via%20Gainsight%20Breach" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsalesforce-some-customer-data-accessed-via-gainsight-breach%2F&linkname=Salesforce%3A%20Some%20Customer%20Data%20Accessed%20via%20Gainsight%20Breach" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsalesforce-some-customer-data-accessed-via-gainsight-breach%2F&linkname=Salesforce%3A%20Some%20Customer%20Data%20Accessed%20via%20Gainsight%20Breach" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>