Gainsight Salesforce Data Breach: Data Stolen from 200 Companies

Google confirmed that hackers stole Salesforce-stored data from more than 200 companies following the Gainsight Salesforce data breach. The incident emerged after Salesforce disclosed theft of “certain customers’ Salesforce data,” which attackers accessed via apps published by Gainsight.

Scale and Exposure in the Gainsight Salesforce Data Breach

The breach originated from external app connections, not from vulnerabilities in the Salesforce platform. According to Austin Larsen, principal threat analyst of Google Threat Intelligence Group, the team is aware of over 200 affected Salesforce instances.

The hacking group Scattered Lapsus$ Hunters, which includes ShinyHunters, claimed responsibility for the attack in a public Telegram channel. The group said it targeted organizations such as Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Google declined to comment on individual victims.
CrowdStrike stated its systems remain secure and confirmed the termination of a “suspicious insider.”
Verizon acknowledged an “unsubstantiated claim” by the attackers.
Malwarebytes and Thomson Reuters said they are actively investigating.
Docusign reported no sign of compromise after internal review but terminated all Gainsight integrations as a precaution.

How Hackers Accessed Salesforce Accounts

Hackers told TechCrunch they gained access through a previous campaign involving Salesloft’s Drift, a marketing platform. Attackers stole authentication tokens from Salesloft customers and used them to penetrate linked Salesforce instances.

Gainsight confirmed it was affected in that earlier incident. The ShinyHunters spokesperson stated that Gainsight was “compromised entirely” due to being a Drift customer.

Salesforce commented that there is no evidence the breach resulted from any vulnerability within Salesforce itself.

Investigation Status and Incident Response

Gainsight is publishing ongoing updates. The company is working with Google’s incident response unit Mandiant for forensic analysis. Salesforce temporarily revoked active access tokens for Gainsight-connected applications while investigations proceed.

Gainsight emphasized that the incident originated from external application connections, not from the Salesforce platform.

Scattered Lapsus$ Hunters announced it will launch an extortion site targeting victims, similar to earlier efforts linked to the Salesloft breach.

Increasing Attack Sophistication

Scattered Lapsus$ Hunters, Scattered Spider, and Lapsus$ form a collective of English-speaking hackers skilled in social engineering. Their recent victims include major organizations such as MGM Resorts, Coinbase, and DoorDash. Their strategy focuses on manipulating employees to gain system access and extract data at scale.

The Gainsight Salesforce data breach reinforces rising risk levels in enterprise supply chains and integrations.

What safeguards should enterprises prioritize to prevent cascading supply chain breaches?

Explore Business Solutions from Uttkrist and our Partners’, Pipedrive CRM [2X the usual trial with no CC and no commitments] and more uttkrist.com/explore