Salesforce has disclosed that some of its customers' data was accessed following a breach of Gainsight, a platform used by businesses to manage customer relationships. The breach specifically affected Gainsight-published applications that were connected to Salesforce, with these apps being installed and managed directly by customers.
Salesforce emphasized that the breach did not stem from vulnerabilities in its own platform, but rather from Gainsight's external connection to Salesforce. The company is actively investigating the incident and directed further inquiries to its dedicated incident response page.
Gainsight confirmed it was investigating a Salesforce connection issue, but did not explicitly acknowledge a breach, stating that its internal investigation was ongoing. Notable companies using Gainsight's services include Airtable, Notion, and GitLab. GitLab confirmed that its security team is investigating and will share more details as they become available.
The hacking group ShinyHunters claimed responsibility for the breach, stating that if Salesforce does not negotiate with them, they will set up a new website to advertise the stolen data—a common tactic for cybercriminals seeking financial gain. The group reportedly stole data from nearly a thousand companies, including details from Salesloft and GainSight campaigns.
This breach mirrors a previous incident in August, where ShinyHunters exploited vulnerabilities in AI marketing chatbot maker Salesloft, compromising numerous customers' Salesforce instances and accessing sensitive information such as access tokens.
In the earlier Salesloft breach, victims included major organizations like Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, and Workday. The hackers subsequently launched a website to extort victims, threatening to release over a billion records. Gainsight was among those affected in the Salesloft-linked breaches, but it remains unclear if the latest wave of attacks originated from the same compromise or a separate incident.
Overall, this incident highlights the risks associated with third-party integrations in major cloud platforms and the growing sophistication of financially-motivated cybercriminals targeting customer data through supply chain vulnerabilities. Both Salesforce and Gainsight are continuing their investigations, with cybersecurity teams across affected organizations actively working to assess the extent of the breach and mitigate potential damage.