Google security experts say Gainsight hacks may have left hundreds of companies affected

1. Pro
2. Security

Google security experts say Gainsight hacks may have left hundreds of companies affected News By Sead Fadilpašić published 24 November 2025

The attack on Gainsight-published applications connected to Salesforce is quite big

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Thapana Onphalai via Getty Images)

• Google Threat Intelligence Group says the Gainsight breach may have impacted 200+ Salesforce instances
• Attack stems from the August 2025 Salesloft breach, where OAuth tokens were stolen and abused by Scattered Lapsus$ Hunters
• SHL claims victims include Atlassian, CrowdStrike, LinkedIn, and others, though none have confirmed compromise

Google’s security experts believe the recent Gainsight breach may have left more than 200 companies, and the data they stored through Salesforce, compromised.

Salesforce recently confirmed seeing “unusual activity” involving Gainsight-published applications connected to its systems. At the time, it said some of the apps may have enabled unauthorized access to certain customers’ Salesforce data”, which forced it to revoke all active access and refresh token associated with Gainsight-published applications connected to Salesforce, and to temporarily remove the apps from its AppExchange.

• Amazon Black Friday deals are live: here are our picks!

The media discovered that the attack was the result of the August 2025 Salesloft breach. A group of criminals, known as "Scattered Lapsus$ Hunters" (SLH), stole OAuth tokens Salesloft used for its Drift AI chat integration with Salesforce, which gave them direct API access to customers’ Salesforce data. Among this data were Gainsight’s files as well, which led to today’s attack.

You may like

• Hackers claim to have stolen over a billion Salesforce records - and are demanding nearly $1 billion not to leak them
• Hackers claim they stole 1.5 billion Salesforce records from hundreds of companies in major hack - but are they telling the truth?
• Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

Scattered Lapsus Hunters

Now, Austin Larsen, the Principal Threat Analyst with Google’s Threat Intelligence Group, told TechCrunch the company “is aware of more than 200 potentially affected Salesforce instances."

The publication made contact with the group via Telegram, which took responsibility for the attack, and said that it affects Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

TechCrunch reached out to most of the companies on SHL’s list, and while some did not reply, others simply said they were investigating the claims. None confirmed the breach, but they also did not outright deny it, only stating that there is currently no evidence to support the argument.

Just like the Salesloft attack, the Gainsight incident has little to do with Salesforce, which has stated there is “no indication that this issue resulted from any vulnerability in the Salesforce platform”.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Salesforce Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Hackers claim to have stolen over a billion Salesforce records - and are demanding nearly $1 billion not to leak them    Hackers claim they stole 1.5 billion Salesforce records from hundreds of companies in major hack - but are they telling the truth?    Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack    Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks    Zscaler says it suffered data breach following Salesloft Drift compromise    Reports claim billions of Gmail accounts could be vulnerable after data breach - but Google says that's not true    Latest in Security Iberia tells customers it was hit by a major security breach    Perplexity responds to Comet browser vulnerability claims, argues "fake news"    D-Link routers under threat from dangerous flaw - here's how to stay safe    Second-order prompt injection can turn AI into a malicious insider    Too good to be true? Be careful when looking through those Black Friday offers - they might be a scam    AI agents are fuelling an identity and security crisis for organizations    Latest in News OnePlus just dropped its own Apple Watch SE rival with the affordable Watch Lite    How to watch Bigg Boss 19 online for *FREE*    Valve dashes dreams of $500 Steam Machine with new hint on pricing    OnePlus 15R launch date confirmed – and it's arriving alongside two other devices    DJI explains what its looming US ban means for your drones    Panic over – Google says your Gmails aren't being used to train its Gemini AI    LATEST ARTICLES

1. 1Google security experts say Gainsight hacks may have left hundreds of companies affected
2. 2NYT Connections hints and answers for Tuesday, November 25 (game #898)
3. 3Quordle hints and answers for Tuesday, November 25 (game #1401)
4. 4NYT Strands hints and answers for Tuesday, November 25 (game #632)
5. 5What is the release date for The Mighty Nein episode 4 on Prime Video?