Salesforce reports that a breach at Gainsight led to unauthorized access to certain customer data

On Wednesday, Salesforce announced it is looking into a security incident that exposed some customers’ Salesforce data, which was accessed via applications developed by Gainsight—a company that provides customer management platforms for businesses. 

In a statement released late Wednesday, Salesforce explained that the breaches are linked to “applications published by Gainsight that are connected to Salesforce and are installed and managed by customers themselves.” 

Salesforce emphasized that there is “no evidence suggesting this issue was caused by any flaw in the Salesforce platform itself,” and indicated the incident seems to be associated with Gainsight’s “external integration with Salesforce.”

When asked for a statement, Salesforce representative Nicole Aranda directed TechCrunch to the company’s incident information page. 

At the time of writing, Gainsight’s status page stated it is looking into a “Salesforce connection issue,” but did not mention a breach. “Our internal review is still underway,” Gainsight noted.

A Gainsight spokesperson did not immediately reply to TechCrunch’s inquiry for comment.

Gainsight’s website lists several major business clients, such as Airtable, Notion, GitLab, and more. When contacted by email, GitLab spokesperson Emily James told TechCrunch that their “security team is reviewing the situation and will provide updates when available.”

The well-known hacking group ShinyHunters informed cybersecurity news outlet DataBreaches.net that they were responsible for the breach, and warned that if Salesforce does not negotiate, they will launch a new site to publicize the stolen information—a typical extortion method used by financially driven hackers. 

“The upcoming [data leak site] will feature information from the Salesloft and GainSight incidents,” the hackers told DataBreaches.net, claiming to have obtained data from nearly a thousand organizations.

This breach resembles an incident in August involving Salesloft, an AI marketing chatbot provider, where attackers accessed multiple customers’ Salesforce accounts to steal sensitive information, including access tokens for other platforms. Victims included Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, Workday, and others. 

For the Salesloft breaches, the group Scattered Lapsus$ Hunters—which reportedly includes ShinyHunters—claimed responsibility. 

Last month, the hackers set up a dedicated website to pressure victims, threatening to release a billion records if their demands were not met. 

At that time, Gainsight confirmed it was affected by the Salesloft-related breaches, but it remains uncertain whether this latest attack is connected to the previous compromise.