Skip to Content

How Did Hackers Steal Customer Data Through the Dangerous Gainsight Security Breach?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » How Did Hackers Steal Customer Data Through the Dangerous Gainsight Security Breach?

What Happened in the Salesforce Gainsight Hack That Exposed 200 Companies?

Over 200 companies lost customer data after hackers broke into Salesforce through Gainsight applications. Salesforce found strange activity connected to Gainsight apps, which help businesses manage customer relationships. Google’s security team confirmed the number of affected companies, making this one of the bigger data thefts this year.​

How the Attack Worked

The hackers didn’t break into Salesforce directly. They used a trick from an earlier attack on a company called Salesloft. In August 2025, these same criminals stole special access codes (called OAuth tokens) from Salesloft’s Drift chat tool. Gainsight used Drift, so when Salesloft got hacked, the attackers got keys to Gainsight’s Salesforce connection too. Think of it like stealing a master key that opens many doors at once.​

Who’s Behind This

A group called Scattered Lapsus$ Hunters took credit for the attack. This group formed when three smaller hacking gangs—ShinyHunters, Scattered Spider, and Lapsus$—joined forces. They’re known for tricking company workers into giving them access. They’ve hit big names before, like MGM Resorts, Coinbase, and DoorDash.​

Companies Targeted

The hackers claim they got into systems at Atlassian, CrowdStrike, LinkedIn, Malwarebytes, SonicWall, Verizon, Thomson Reuters, and others. Not all these companies agree they were hit. CrowdStrike says they’re not affected. Docusign checked their systems and found no signs of stolen data. Malwarebytes started looking into what happened.​

What Salesforce Did

Salesforce shut down all active connections to Gainsight apps as soon as they spotted the problem. They pulled Gainsight’s apps from their store (called AppExchange) while they figure out what went wrong. They’re telling affected customers directly what happened. Salesforce says their main system wasn’t broken—the problem came from how outside apps connect to it.​

What Comes Next

The hacking group plans to set up a website to pressure victims into paying money. They did this same thing in October after their Salesloft attack. This is how they work: steal data, then threaten to share it unless companies pay. Security experts are watching to see which companies actually lost sensitive information and what kind of data got taken.​

  • Companies should check if they use Gainsight with Salesforce
  • Look at system logs from August through November 2025
  • Change access codes and passwords for cloud tools
  • Watch for unusual login attempts or data downloads

Salesforce shared warning signs to look for, including suspicious computer addresses and unusual software names trying to access accounts. Both Salesforce and Gainsight are still investigating with outside security firms helping.​