Salesforce says hackers accessed some customers’ data through Gainsight-connected applications, prompting an ongoing investigation into how attackers reached systems tied to the customer-success platform. The company said the activity does not stem from a flaw in Salesforce itself and appears to involve Gainsight’s external connection, which some customers use to integrate Gainsight’s tools with their Salesforce environments.
Salesforce Describes the Scope of the Incident
In a notice published late Wednesday, Salesforce said the breach involves “Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.” Salesforce spokesperson Nicole Aranda referred TechCrunch to the company’s incident page and did not provide additional information.
Gainsight Responds and Customer Investigations Begin
Gainsight, on its status page, said it is investigating a “Salesforce connection issue” and did not reference a security incident. The company wrote that its internal investigation is ongoing. A spokesperson did not immediately respond to TechCrunch’s request for comment. Gainsight lists customers such as Airtable, Notion, and GitLab on its website. GitLab spokesperson Emily James said the company’s security team is conducting its own investigation and will share more details when available.
ShinyHunters Claims Responsibility
ShinyHunters, a financially motivated hacking group, told DataBreaches.net that it carried out the intrusion. The group warned that it would set up a new website to advertise the stolen data if Salesforce does not negotiate. According to the hackers, the next data leak site “will contain the data of the Salesloft and GainSight campaigns,” and they claim to have taken data from close to a thousand companies.
Similarities to the Salesloft Breach
The method resembles an August incident at Salesloft, an AI marketing chatbot provider. In that case, attackers accessed the Salesforce environments of several Salesloft customers and obtained sensitive information that included access tokens used to log in to other services. The list of affected organizations in that breach included Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, Workday, and others. Scattered Lapsus$ Hunters, a group that appears to include members of ShinyHunters, said it was responsible.
Last month, the hackers behind the Salesloft attacks launched an extortion website threatening to leak one billion records unless victims responded. Gainsight previously confirmed that it was affected in that earlier wave of Salesloft-related breaches, but it is not yet clear whether the current activity stems from that earlier compromise.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.