Salesforce Says Customer Data Was Accessed Following Gainsight-Linked Breach

Salesforce revealed on Wednesday that it is investigating an incident involving unauthorised access to “certain customers’ Salesforce data,” which the company says was compromised through applications created by Gainsight — a platform used by businesses to manage customer relationships.

In a notice published late Wednesday, Salesforce explained that the breach involves Gainsight-developed apps connected to Salesforce, which are installed and controlled directly by customers. The company emphasised that there is no evidence of a vulnerability in its platform, suggesting that the issue stems from Gainsight’s external integration with Salesforce systems.

When contacted by TechCrunch, a Salesforce spokesperson, Nicole Aranda, referred inquiries to the company’s dedicated incident page.

As of now, Gainsight has acknowledged a “Salesforce connection issue” on its status page but has not publicly confirmed a breach. The company said its internal investigation is ongoing. A spokesperson for Gainsight did not respond to TechCrunch’s request for further comment.

Gainsight lists well-known enterprise clients on its website, including Airtable, Notion, and GitLab. GitLab spokesperson Emily James told TechCrunch via email that the company’s security team is reviewing the situation and will provide updates once more details are available.

Meanwhile, the hacking group ShinyHunters claimed responsibility for the breach in comments to DataBreaches.net. The group warned that unless Salesforce negotiates with them, they will launch a new leak site to publish stolen data — a standard extortion tactic used by financially-driven hacker groups.

“The next leak site will contain data from the Salesloft and Gainsight campaigns,” the hackers said, claiming they obtained information from nearly a thousand companies.

The incident bears similarities to an August breach affecting Salesloft, an AI-powered marketing chatbot provider. That attack enabled the hackers to infiltrate multiple Salesforce customer environments and steal sensitive information, including access tokens for other services. Victims of that earlier breach included Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, Workday, and others.

In the Salesloft incidents, the group Scattered Lapsus$ Hunters — which reportedly includes members of ShinyHunters — claimed responsibility. Last month, the attackers launched a dedicated extortion site, threatening to release 1 billion stolen records.

Gainsight previously confirmed it was among the victims of the Salesloft-connected attacks, but it remains unclear whether this latest wave of intrusions is linked to its prior compromise.