A sophisticated supply chain cyberattack has compromised Salesforce customer data from more than 200 organizations after hackers exploited integrations with the customer success platform Gainsight. Attackers stole OAuth tokens during the September 2025 compromise of Salesloft’s Drift platform, and they later used those tokens to break into Gainsight systems and, from there, into connected Salesforce environments.
Salesforce acknowledged detecting unusual activity involving Gainsight applications distributed through its AppExchange marketplace. The company emphasized that there was no indication the incident arose from a flaw in the Salesforce platform itself. As a precaution, Salesforce revoked all active access and refresh tokens associated with Gainsight applications, removed the apps from AppExchange and began notifying affected customers.
Google’s threat intelligence division, working with Mandiant on forensic analysis, reported that more than 200 Salesforce instances may have been affected. The hacking group calling itself Scattered Lapsus Hunters, which includes members of ShinyHunters, claimed responsibility and said it had fully compromised Gainsight after exploiting its earlier exposure in the Salesloft Drift breach. The group also stated it intends to launch an extortion website if demands are not met.
The intrusion began in September 2025 when attackers penetrated the Salesloft Drift ecosystem and stole authentication tokens belonging to customer accounts. These credentials enabled unauthorized access to Salesforce environments. Gainsight, which relied on Drift services, was subsequently breached. Through Gainsight’s elevated Salesforce integration permissions, attackers extracted customer data, communications and operational information. Investigators say the methods involved token abuse and trusted application links rather than any direct vulnerability within Salesforce itself.
The attackers listed Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters and Verizon among potential victims. Some of these firms denied any impact while others said investigations were ongoing.
Gainsight later stated that its latest internal review identified only three compromised organizations. Salesforce revoked the tokens, removed the associated applications and notified all potentially affected customers, while reaffirming that the core platform remained uncompromised.
Gainsight has hired Mandiant, rotated all integration keys, invalidated authentication tokens and reinforced its APIs. The company confirmed the breach originated from an external connection rather than a flaw in its own infrastructure. The company described the events as:
On November 20, 2025, Salesforce disabled the connection between Gainsight-published applications and Salesforce. Customers will not be able to connect their Gainsight-published applications until further notice.
There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.
As our continuous threat monitoring progresses, we are committed to keeping you informed with the latest updates.
Some affected companies have taken additional steps. CrowdStrike stated it was not impacted but removed an insider with access to related tools. DocuSign reported no compromise but disabled related integrations while confirming that further monitoring was underway. Other firms continue to assess the situation.
This marks the second significant third party breach affecting Salesforce customers in 2025, following the Salesloft Drift incident in August that impacted several major technology companies. The incident reinforces concerns about the risks associated with trusted software connectors in cloud ecosystems.