Salesforce Customer Data Exposed via Gainsight Application Breach
Salesforce has detected unusual activity involving Gainsight-published applications connected to its platform, resulting in potential unauthorized access to certain customers' Salesforce data. The company responded by revoking all active access and refresh tokens associated with these applications and temporarily removing them from the AppExchange while the investigation is ongoing. Salesforce emphasized that the incident did not stem from a vulnerability in its core CRM platform, but rather from the external connection established by the Gainsight applications, which are managed directly by customers.
Impacted customers have been notified, and Salesforce has advised those needing further assistance to contact their support team. This breach follows a similar pattern to the August 2025 Salesloft incident, where attackers exploited OAuth tokens to access sensitive customer data. While the full scope of the current Gainsight-related breach is still under investigation, the incident highlights the risks associated with third-party integrations and the importance of monitoring external application connections to critical cloud services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Gainsight expands its list of impacted customers
By November 27, 2025, Gainsight disclosed that more customers were affected than initially reported. The update marked an escalation from earlier statements that had minimized the number of impacted organizations.
Gainsight CEO publicly downplays scope of customer data theft
On November 26, 2025, Gainsight CEO Chuck Ganapathi said only a handful of customers had data stolen, contrasting with outside estimates that more than 200 Salesforce instances may have been affected. The statement highlighted ongoing uncertainty over the breach's true scale.
Salesforce says only a handful of customers are confirmed impacted
On November 26, 2025, reporting on Salesforce's latest guidance said only a handful of customers were confirmed to have had data impacted so far, despite broader claims from the threat actor and outside researchers. The company continued to investigate the full scope of exposure.
Salesforce details wider supply-chain attack via Gainsight
By November 24, 2025, Salesforce and security reporting described the incident as a supply-chain attack carried out through Gainsight OAuth access to customer Salesforce instances. Mandiant was publicly identified as assisting with forensic investigation and hardening recommendations.
Salesforce and partners publish investigation guidance and IOCs
Around November 24-26, 2025, Salesforce and Gainsight released customer guidance and indicators of compromise, including suspicious IP addresses and user-agent details. Customers were advised to review logs, revoke and reauthorize tokens, and rotate potentially exposed credentials.
Gainsight confirms an active investigation into suspicious activity
On November 23, 2025, Gainsight confirmed it was actively investigating suspicious activity involving its Salesforce-integrated applications. The company worked with Salesforce and Mandiant as the scope and customer impact were assessed.
Gainsight disables other integrations as a precaution
During the response, Gainsight also pulled its app from the HubSpot Marketplace and revoked connector access for services such as Zendesk, with some reports also mentioning Gong.io. These steps were taken to limit further abuse of connected SaaS integrations.
Threat reporting links the incident to ShinyHunters
By November 20, 2025, multiple reports attributed the campaign to ShinyHunters, also described in some coverage as overlapping with UNC6395 or Scattered Lapsus$ Hunters. The group claimed responsibility and tied the activity to earlier third-party Salesforce ecosystem compromises.
Gainsight acknowledges Salesforce connector failures
On November 20, 2025, Gainsight reported connection failures affecting its Salesforce connector. The disruption aligned with Salesforce's containment actions and signaled that the vendor was actively responding to the incident.
Salesforce issues public security advisory on Gainsight activity
Salesforce published a security advisory about unusual activity related to Gainsight applications and warned customers to review connected apps and credentials. The advisory formalized the incident publicly after direct customer notifications had begun.
Salesforce revokes Gainsight tokens and removes apps from AppExchange
As a containment step on November 19, 2025, Salesforce revoked all active access and refresh tokens associated with Gainsight applications and temporarily removed those apps from AppExchange. This cut off affected third-party integrations while the investigation proceeded.
Salesforce detects unusual API activity tied to Gainsight apps
On November 19, 2025, Salesforce detected unusual activity and suspicious API calls involving Gainsight-published applications connected to customer Salesforce environments. The company said affected customers were being notified and that there was no evidence of a vulnerability in the core Salesforce platform.
Attack activity expands across VPN, Tor, and AWS infrastructure
Salesforce later traced additional malicious activity between November 16 and November 23 to commercial VPNs, Tor exit nodes, and AWS infrastructure. The infrastructure and tradecraft were linked by multiple reports to ShinyHunters or related clusters.
Unauthorized access to Gainsight-linked Salesforce apps begins
Salesforce later said indicators of compromise showed unauthorized access tied to Gainsight-published applications began as early as November 8, 2025. The activity involved abuse of OAuth-connected third-party integrations rather than a flaw in Salesforce itself.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
33 references tracked. Mallory keeps watching after this page renders.
Story of Cyberattack: Salesforce Supply Chain Breach
secpod.com
Open sourceGainsight Expands Impacted Customer List Following Salesforce Security Alert
thehackernews.com
Open sourceGainsight CEO downplays breach, says only a 'handful' of customers had data stolen
go.theregister.com
Open sourceGainsight breach: Salesforce details attack window, issues investigation guidance
helpnetsecurity.com
Open sourceSalesforce investigates new incident echoing Salesloft Drift compromise
helpnetsecurity.com
Open sourceSecurity Advisory: Salesforce Gainsight Incident
securityboulevard.com
Open sourceSalesforce investigates customer data theft via Gainsight breach
bleepingcomputer.com
Open sourceShinyHunters Hack Salesforce Instances Via Gainsight Apps
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive OAuth Abuse Exposes Salesforce Customer Data via Third-Party Integrations
A significant wave of OAuth-related breaches has recently impacted the Salesforce ecosystem, resulting in the exposure of sensitive data from over 700 organizations and affecting nearly 1.5 billion records. The breaches were not due to a direct compromise of Salesforce itself, but rather stemmed from attackers exploiting weaknesses in third-party OAuth integrations connected to Salesforce environments. At the recent Dreamforce conference, Salesforce emphasized security as a shared responsibility and introduced new AI-driven security and compliance agents, but notably did not address the recent OAuth breach incidents that have led to more than 70 lawsuits. Security experts highlighted this omission, noting that the lessons from these breaches are critical for the future of interconnected, AI-driven business platforms. According to Google Threat Intelligence Group, the attackers systematically exported large volumes of data from numerous corporate Salesforce instances by abusing OAuth tokens. These tokens, which are designed to allow secure, delegated access to cloud applications, were leveraged by threat actors to gain persistent, high-privilege access to customer data. Proofpoint researchers have further warned that attackers are increasingly abusing both external and internal OAuth-based applications to maintain access to cloud environments, even after password resets or the enforcement of multifactor authentication. Internal OAuth applications, which are registered within an organization’s own cloud tenant and typically trusted, can be particularly difficult to detect when compromised. Attackers have developed automated toolkits to register malicious OAuth applications with pre-configured permissions, using compromised admin accounts to escalate privileges and maintain persistence. The breaches underscore the risks inherent in SaaS supply chains, where third-party integrations can become a vector for large-scale data exfiltration. Security professionals stress the importance of monitoring OAuth app permissions, regularly auditing third-party integrations, and educating users about the risks of granting excessive access. The incident has prompted calls for greater transparency and proactive security measures from both SaaS providers and their customers. The scale of the breach and the sophistication of the attack methods highlight the evolving threat landscape facing cloud-based business platforms. Organizations are urged to review their OAuth security posture and implement robust controls to mitigate similar risks in the future. The incident serves as a stark reminder that even trusted cloud environments can be compromised through indirect attack vectors, necessitating a holistic approach to cloud security.
Mar 21, 2026
Extortion Attacks Targeting Salesforce Customers
A series of extortion attacks have targeted organizations using Salesforce, resulting in the leakage of millions of records. Attackers have exploited vulnerabilities or misconfigurations in Salesforce environments to gain unauthorized access to sensitive customer and business data. Once inside, the threat actors exfiltrated large volumes of information, which they then used as leverage in extortion attempts against the affected companies. The attackers threatened to publicly release or sell the stolen data unless their demands were met, putting significant pressure on the victim organizations. Security experts have highlighted that these incidents demonstrate the growing risk of supply chain and third-party platform attacks, as Salesforce is widely used across industries for customer relationship management. The attacks have raised concerns about the adequacy of security controls and monitoring within cloud-based SaaS platforms, especially when organizations rely heavily on default configurations. In response, security professionals have urged companies to review their Salesforce security settings, implement robust access controls, and monitor for unusual activity. The incidents have also prompted calls for better incident response planning, as organizations must be prepared to act quickly in the event of a breach involving critical business platforms. The extortion group responsible for these attacks has demonstrated technical sophistication, leveraging both technical exploits and social engineering tactics to maximize their impact. The exposure of millions of records has potential regulatory and reputational consequences for the affected organizations, particularly in jurisdictions with strict data protection laws. Security podcasts and news outlets have discussed the technical details of the attacks, the methods used by the extortionists, and the broader implications for cloud security. Experts have also noted that these attacks may inspire copycat incidents targeting other SaaS providers. The events underscore the importance of regular security assessments and employee training to defend against evolving threats. Organizations are advised to stay informed about emerging attack techniques and to collaborate with their SaaS vendors to ensure comprehensive security coverage. The Salesforce extortion attacks serve as a stark reminder of the risks associated with cloud service dependencies and the need for proactive cybersecurity measures.
Mar 21, 2026
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
May 6, 2026