- Gainsight Apps Allowed Unauthorized Access to Salesforce Data, Leading to Token Revocation and AppExchange Removal
- Incident linked to August 2025 Salesloft breach where OAuth tokens exposed 1.5 billion records
- ShinyHunters used stolen secrets to steal license and contact data from Gainsight customers
The Salesloft Drift incident appears to have reached Gainsight, causing hundreds more organizations to potentially lose their sensitive data to hackers.
Salesforce has confirmed that it saw “unusual activity” involving apps published by Gainsight connected to Salesforce.
Salesforce says some of these apps “may have allowed unauthorized access to certain customers’ Salesforce data,” forcing it to revoke all active access and refresh the token associated with Gainsight-published apps connected to Salesforce. Additionally, it temporarily removed apps from its AppExchange.
ShinyHunters claims responsibility
“There is no indication that this issue is due to any vulnerability in the Salesforce platform,” the announcement reads. “The activity appears to be related to the app’s external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as appropriate.”
Gainsight is a company that creates a “customer success” platform through which companies can manage and improve their post-sales customer relationships (such as onboarding, adoption, retention or renewal).
The company also creates different applications and integrations, some of which run natively within Salesforce, while others connect via APIs.
At the same time, beepcomputer claims that the incident is actually a continuation of the August 2025 Salesloft breach.
This saw a group of criminals known as “Scattered Lapsus$ Hunters” steal OAuth tokens that Salesloft used for its Drift AI chat integration with Salesforce, giving them direct API access to customers’ Salesforce data.
Using the stolen tokens, they accessed around 760 Salesforce instances and exfiltrated 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.
Now, a member of that same group, ShinyHunters, told the publication that they broke into Gainsight using secrets stolen in the Salesloft incident.
Gainsight also confirmed that attack and said the bad actors took business contact data such as names, business email addresses, phone numbers, regional/location details, license information, and support case content.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
