Salesforce has confirmed it is investigating a data breach where hackers accessed some of its customers' data through applications published by Gainsight, a customer experience platform provider. The company clarified that the compromise occurred via "Gainsight-published applications connected to Salesforce," which are installed and managed directly by customers. Salesforce stated there is "no indication that this issue resulted from any vulnerability in the Salesforce platform" itself, suggesting the activity points to Gainsight's "external connection to Salesforce."
In a notice published late Wednesday, Salesforce detailed that the incident involves these Gainsight-published applications. When reached for comment, Salesforce spokesperson Nicole Aranda referred inquiries to the company's dedicated page for the incident.
As of the time of reporting, Gainsight's status page acknowledged an investigation into a "Salesforce connection issue" but did not explicitly mention a data breach. The company stated, "Our internal investigation is ongoing." A spokesperson for Gainsight did not immediately respond to requests for comment from the publication.
Gainsight's website lists prominent corporate clients such as Airtable, Notion, and GitLab. A spokesperson for GitLab, Emily James, confirmed their security team is investigating the incident and will provide updates when available.
The notorious hacking collective ShinyHunters has claimed responsibility for the breach, informing cybersecurity news outlet DataBreaches.net. The group threatened to launch a new website to publicize the stolen data if negotiations with Salesforce do not occur—a typical extortion tactic employed by financially motivated cybercriminals. ShinyHunters reportedly stated, "The next [data leak site] will contain the data of the Salesloft and GainSight campaigns," asserting they have compromised data from close to a thousand companies.
This incident bears resemblance to an August breach involving AI marketing chatbot provider Salesloft. In that attack, hackers gained access to several customers' connected Salesforce instances, stealing sensitive information like access tokens for other services. Notable victims of the Salesloft-linked breaches included insurance giant Allianz Life, Bugcrowd, Cloudflare, Google, fashion conglomerate Kering, Proofpoint, the airline Qantas, carmaker Stellantis, credit bureau TransUnion, and the employee management platform Workday.
In the case of the Salesloft breaches, the hacking group Scattered Lapsus$ Hunters, which reportedly includes the ShinyHunters gang, claimed responsibility. Last month, the hackers launched a dedicated website to extort victims, where they threatened to release a billion records. Gainsight had previously confirmed it was among the victims of the Salesloft-linked breaches, though it remains unclear if this latest wave of hacks stems from that earlier compromise.
