CONTRUDO:
Salesforce confirmed on Wednesday that it is investigating a security breach involving unauthorized access to customer data. The incident stems from third-party applications published by Gainsight, a platform widely used by corporations to manage customer relationships.
Understanding the Salesforce-Gainsight Security Incident
In an official notice published late Wednesday, Salesforce clarified that the breach specifically impacts Gainsight-published applications that are integrated into Salesforce environments. Crucially, these applications are installed and managed directly by individual customers, rather than being a core component of the Salesforce platform itself.
Salesforce emphasized that there is no evidence suggesting a vulnerability within its own infrastructure. Instead, the unauthorized access appears to be tied to Gainsight’s external connection protocols. Gainsight is currently conducting an internal investigation and has acknowledged a “Salesforce connection issue” on its status page, though the company has not yet explicitly confirmed a breach.
Extortion Threats and Hacker Claims
The notorious hacking group ShinyHunters has claimed responsibility for the attack. In statements provided to DataBreaches.net, the group threatened to publish the stolen information on a dedicated leak site if their extortion demands are not met. The hackers allege they have compromised data from nearly 1,000 companies.
This incident mirrors a similar campaign reported in August involving Salesloft, an AI marketing chatbot provider. During that event, hackers exploited connected Salesforce instances to exfiltrate sensitive information, including access tokens for various enterprise services. Victims of the previous Salesloft-linked breaches included major global entities such as Google, Cloudflare, Workday, and Allianz Life.
Broader Implications for Enterprise Security
The hacking collective—often associated with the group known as Scattered Lapsus$ Hunters—has been increasingly active, recently launching a website aimed at extorting victims of these interconnected breaches. While Gainsight previously confirmed it was a victim of the earlier Salesloft-related attacks, it remains under investigation whether this new wave of unauthorized access is a direct evolution of the previous compromise.
Corporate clients of Gainsight, including prominent firms like GitLab, Notion, and Airtable, are currently assessing the situation. A representative for GitLab confirmed that their security team is actively investigating the potential impact on their systems.