- Google Threat Intelligence Group Says Gainsight Breach May Have Impacted More Than 200 Salesforce Instances
- The attack stems from the August 2025 Salesloft breach, where OAuth tokens were stolen and misused by scattered Lapsus$ hunters.
- SHL says victims include Atlassian, CrowdStrike, LinkedIn and others, although none have confirmed compromise.
Google security experts estimate that the recent Gainsight breach may have compromised more than 200 companies and the data they stored through Salesforce.
Salesforce recently confirmed that it had observed “unusual activity” involving applications published by Gainsight and connected to its systems. At the time, the company said “some apps may have allowed unauthorized access to some customers’ Salesforce data,” which required it to revoke all active access and refresh tokens associated with apps published by Gainsight and connected to Salesforce, and to temporarily remove the apps from its AppExchange.
Media reports discovered that the attack was the result of the Salesloft breach in August 2025. A group of criminals, known as “Scattered Lapsus$ Hunters” (SLH), stole the OAuth tokens used by Salesloft for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data. This data also included the Gainsight files, which led to today’s attack.
Scattered Lapsus Hunters
Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, said: TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances.”
The publication contacted the group via Telegram, which took responsibility for the attack and said it affected Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson PK Press Club and Verizon.
TechCrunch contacted most of the companies on SHL’s list and, while some did not respond, others simply said they were investigating the allegations. None have confirmed the violation, but neither have categorically denied it, only stating that there is currently no evidence to support this argument.
Much like the Salesloft attack, the Gainsight incident has little to do with Salesforce, which said there was “no indication that this issue resulted from a vulnerability in the Salesforce platform.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
