Gainsight Breach- Supply Chain Attack on Salesforce
- Ranjith Manne
- Jan 27
- 3 min read
In November 2025, a major security incident occurred involving Salesforce, which is a popular Customer Relationship Management (CRM) platform used by businesses to manage their sales and customer data, and Gainsight, a platform that helps companies ensure their customers are successful and happy. These two tools are often linked together so they can share data and work seamlessly. However, on November 19, 2025, Salesforce security teams noticed something was wrong. They detected unusual activity coming from Gainsight applications that were connected to their customers' Salesforce environments.
It turns out this was a serious supply chain attack. While Salesforce initially identified a small number of affected organizations, the situation quickly evolved. The Google Threat Intelligence Group reported that they were aware of more than 200 Salesforce instances that were potentially affected. The threat actors behind the attack have made even larger claims, suggesting that when combined with a previous related breach, nearly 1,000 organizations including major Fortune 500 companies might be involved.
How it happened?
The attack was technically clever because it didn't involve breaking into Salesforce’s walls directly. Instead, the attackers used a "key" that was already trusted. When companies connect Gainsight to Salesforce, they use digital keys called OAuth tokens to let the apps talk to each other without needing a password every time. The attackers, Scattered LAPSUS$ Hunters (a group formed from members of ShinyHunters, Scattered Spider, and Lapsus$), managed to steal these tokens.
The hackers claim they managed to break into Gainsight’s systems about three months ago. They did this by taking advantage of a previous security problem that had happened at a different company called Salesloft Drift, a service which Gainsight itself used. Once they were inside Gainsight’s environment, they found and stole the valid OAuth tokens. With these stolen tokens in hand, the attackers could pretend to be the legitimate Gainsight application. This allowed them to bypass standard login screens and use the trusted connection to reach into customers' Salesforce data, reading and taking information without needing to hack Salesforce itself.
How is it known to the world?
The incident became public because of quick action by the companies and claims made by the hackers. Salesforce was the first to announce the problem, posting a Security Advisory on their public Trust page and contacting affected customers directly. At the same time, Gainsight put updates on its own status page, telling users why their connection to Salesforce suddenly broke.
Beyond these official notices, security experts like Mandiant and Google Threat Intelligence stepped in to check the scope of the damage. The story grew quickly because the hackers the Scattered LAPSUS$ Hunters were also talking. They confirmed their involvement to media reporters and stated that they planned to launch a dedicated website to list the stolen data from both this Gainsight attack and an earlier campaign. This public claim about data release is a known way the group tries to get money from companies.
What is the Impact?
The consequences of this breach were immediate and two-sided. First, there was the issue of data exposure. Because the attackers had valid tokens, they could access sensitive business information stored in Salesforce, such as customer names, emails, phone numbers, and support case details. While some major companies like CrowdStrike were named in the attackers' lists, they clarified that their specific customer data wasn't compromised in this way.
Second, there was significant operational disruption. To stop the bleeding, Salesforce took the drastic step of revoking the "keys" (tokens) for Gainsight apps and temporarily removing Gainsight from the AppExchange marketplace. This meant that for many companies, their Gainsight software suddenly stopped talking to Salesforce, breaking workflows and data syncs. As a ripple effect, other major vendors like HubSpot, Zendesk, and Gong.io also disabled their Gainsight integrations as a safety precaution, widening the disruption for IT teams everywhere.
What are the Preventive Measures?
After the attack, both the companies involved and their customers have had to take strict defensive steps. Immediately, Salesforce stopped the attackers' access by killing the compromised tokens. Gainsight brought in forensic experts and instructed their own customers to update specific security keys, known as S3 keys, which are used for retrieving logs.
For other companies watching this develop, the lesson has been clear. Security experts are now urging organizations to audit their "Connected Apps" list in Salesforce to see exactly who has access to their data. The primary advice is to update credentials for any integration that looks suspicious and to follow the principle of "least privilege," meaning apps should only be given the bare minimum access they need to work. Finally, companies are encouraged to enforce IP restrictions, which ensures that even if an app has a valid key, it can only use it from a trusted location and not from a hacker's computer.
Sources
