- Gainsight apps allowed unauthorized access to Salesforce data, leading to token revocation and removal of AppExchange.
- The incident stems from the Salesloft hack in August 2025, in which OAuth tokens exposed 1.5 billion records.
- ShinyHunters used stolen secrets to steal customer contacts and Gainsight licensing data.
Salesloft Drift Incident appears to have spilled over into Gainsight, causing hundreds of other organizations to potentially lose their sensitive data to hackers.
Salesforce confirmed that it had observed “unusual activity” regarding Gainsight-published apps connected to Salesforce.
Salesforce says some of these apps “may have provided unauthorized access to certain customers' Salesforce data,” forcing the company to revoke all active access and refresh tokens associated with Gainsight-published apps connected to Salesforce. Additionally, the company has temporarily removed the apps from its AppExchange.
ShinyHunters take responsibility
“There is no indication that this issue is due to any vulnerability in the Salesforce platform,” the announcement said. “This activity appears to be related to the application's external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as needed.”
Gainsight is a company that creates a “customer success” platform through which companies can manage and improve their post-sales customer relationships (e.g. onboarding, adoption, retention or renewal).
The company also creates various applications and integrations, some of which run inside Salesforce and others that connect via APIs.
At the same time, BeepingComputer claims that the incident is actually a continuation of the Salesloft hack in August 2025.
This led to a group of criminals known as the Scattered Lapsus$ Hunters stealing the OAuth tokens that Salesloft used to integrate Drift AI chat with Salesforce, giving them direct API access to customers' Salesforce data.
Using the stolen tokens, they gained access to approximately 760 Salesforce instances and stole 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.
Now a member of the same ShinyHunters group told the publication that they hacked Gainsight using secrets stolen during the Salesloft incident.
Gainsight also confirmed the attack and stated that the attackers obtained company contact information such as names, email addresses, phone numbers, region/location data, licensing information and the contents of the support request.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
