- Google Threat Intelligence Group says Gainsight breach may have affected more than 200 Salesforce instances
- The attack stems from the August 2025 Salesloft breach, where scattered Lapsus$ hunters stole and abused OAuth tokens.
- SHL claims victims include Atlassian, CrowdStrike, LinkedIn and others, although none have confirmed the compromise
Security experts at Google believe that the recent Gainsight breach may have left more than 200 companies and the data they stored through Salesforce compromised.
Salesforce recently confirmed seeing “unusual activity” involving apps published by Gainsight connected to its systems. At the time, it said that some of the apps may have allowed unauthorized access to certain customers’ Salesforce data,” forcing it to revoke all active access and refresh tokens associated with Gainsight-published apps connected to Salesforce, and to temporarily remove the apps from its AppExchange.
Media discovered that the attack was a result of the Salesloft breach in August 2025. A group of criminals, known as “Scattered Lapsus$ Hunters” (SLH), stole OAuth tokens that Salesloft used for its Drift AI chat integration with Salesforce, giving them direct API access to customers’ Salesforce data. Among this data were also the Gainsight files, which led to today’s attack.
Scattered Lapsus Hunters
Now, Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, said TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances.”
The publication contacted the group via Telegram, which claimed responsibility for the attack, saying it affects Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson PakGazette and Verizon.
TechCrunch contacted most of the companies on SHL’s list and, while some did not respond, others simply said they were investigating the claims. Neither confirmed the rape, but neither did they outright deny it, only stating that there is currently no evidence to support the claim.
Like the Salesloft attack, the Gainsight incident has little to do with Salesforce, which has stated that “there is no indication that this issue was the result of any vulnerability in the Salesforce platform.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
