Salesforce investigates customer data theft via Gainsight breach

Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers.

The cloud-based software company noted that this doesn't stem from a vulnerability in its customer relationship management (CRM) platform since all evidence points to the malicious activity being related to the app's external connection to Salesforce.

"Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," it said in a Thursday morning advisory.

"Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues."

Salesforce has alerted all impacted customers of this incident and advised those requiring further assistance to reach out to the Salesforce Help team.

While the company hasn't provided more details regarding these attacks, this incident is similar to the August 2025 Salesloft breach, when an extortion group known as "Scattered Lapsus$ Hunters" stole sensitive information, including passwords, AWS access keys, and Snowflake tokens, from customers' Salesforce instances, using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce.

The ShinyHunters extortion group told BleepingComputer at the time that the Salesloft data theft attacks affected around 760 companies, resulting in the theft of 1.5 billion Salesforce records.

Companies known to have been impacted in the Salesloft attacks include Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Nutanix, Qualys, and Cato Networks, among many others.

Today, in messages exchanged with BleepingComputer, ShinyHunters claimed they gained access to another 285 Salesforce instances after breaching Gainsight via secrets stolen in the Salesloft drift breach.

Gainsight previously confirmed it was breached via stolen OAuth tokens linked to Salesloft Drift and said the attackers accessed business contact details, including names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.

BleepingComputer reached out to Gainsight with questions about the data theft attacks related to Gainsight applications, but a response was not immediately available.

Update November 21, 15:30 EST: Palo Alto Networks reached out after the article was published to clarify that it wasn't impacted by the Gainsight supply chain attack.

"On November 19, 2025, Palo Alto Networks identified errors within our internal Gainsight integration and immediately disabled the application," a spokesperson told BleepingComputer.

"Based on the results of our internal forensic investigation using Cortex XSIAM and definitive confirmation from Salesforce that our specific instance was not affected, we can confirm we were not impacted by this security event. At no time were any Palo Alto Networks products or services impacted."