Google has confirmed that hackers stole data from over 200 companies. This large-scale supply chain attack exploited Salesforce systems through applications published by Gainsight, a customer support platform provider. The breach was publicly disclosed around November 20-22, 2025, after Salesforce initially alerted customers to unusual activity.
Sophisticated Supply Chain Attack Unfolds
The security incident began with a sophisticated supply chain attack. Hackers gained unauthorized access to customer data stored within Salesforce environments. They achieved this by compromising apps created by Gainsight, a company that offers customer success software and integrates with Salesforce. This means the core Salesforce platform was not directly vulnerable. Instead, the attack targeted an external connection of a third-party application.
The cybercriminal group known as Scattered Lapsus$ Hunters, which includes the notorious ShinyHunters gang, claimed responsibility for the breaches. The group announced their actions via a Telegram channel. This group is known for similar high-profile hacks. They stated they gained access to Gainsight by using credentials stolen during an earlier attack on Salesloft. Gainsight itself was a customer of Salesloft, a marketing platform. In that prior incident, hackers stole authentication tokens, which are like digital keys, from Salesloft's Drift AI chat integration. These stolen keys then allowed them to access linked Salesforce systems and download data.
Google Confirms Extensive Impact
Austin Larsen, a principal threat analyst with Google Threat Intelligence Group, provided crucial confirmation regarding the scope of the breach. He stated that Google "is aware of more than 200 potentially affected Salesforce instances." This statement highlights the significant number of organizations potentially impacted by the compromise. While the hacking group ShinyHunters claimed to have stolen data from nearly 1,000 organizations through a combination of the Salesloft and Gainsight attacks, Google's specific confirmation focuses on the over 200 Salesforce instances affected through Gainsight.
The type of data potentially exposed in these breaches includes business contact details, licensing information, names, business email addresses, phone numbers, regional or location details, and even contents of support cases. This sensitive information could be valuable to cybercriminals for further attacks or extortion.
Immediate Responses and Ongoing Investigations
Upon detecting the unusual activity, Salesforce took swift action to contain the threat. The company immediately revoked all active access and refresh tokens associated with Gainsight-published applications connected to its platform. Salesforce also temporarily removed these Gainsight applications from its AppExchange marketplace. These measures were designed to terminate unauthorized access and prevent new customers from installing potentially compromised applications.
Gainsight, the affected customer support platform provider, confirmed it was investigating the incident. The company engaged Mandiant, a cybersecurity firm owned by Google, to assist with the forensic investigation. Gainsight emphasized that their initial findings indicate the malicious activity originated from the applications' external connection to Salesforce, not from a vulnerability within the Salesforce platform itself. As a precautionary step, Gainsight also temporarily pulled its app from the HubSpot Marketplace and revoked access to its Zendesk connector.
Several companies mentioned by the hacking group as being affected have issued their own statements. CrowdStrike spokesperson Kevin Benacci stated that the company was "not affected by the Gainsight issue" and confirmed all customer data remained secure. CrowdStrike also disclosed it dismissed a "suspicious insider" who allegedly shared information with hackers. Verizon spokesperson Kevin Israel acknowledged awareness of the claims but described them as "unsubstantiated." Malwarebytes spokesperson Ashley Stewart indicated that the company's security team was "aware" of the Gainsight and Salesforce issues and was "actively investigating." DocuSign's chief information security officer, Michael Adams, noted that their "comprehensive log analysis and internal investigation" showed no indication of data compromise. DocuSign also took measures to terminate all Gainsight integrations and contain related data flows. Thomson Reuters also confirmed it was actively investigating the matter. Palo Alto Networks clarified that it was not impacted, having disabled its Gainsight integration promptly and receiving confirmation from Salesforce that its specific instance was unaffected.
The hackers, ShinyHunters, have announced plans to launch a dedicated extortion website in the coming week. This site is expected to contain data from both the Salesloft and Gainsight campaigns, threatening to extort victims. This tactic is consistent with their past operations.
This incident highlights the increasing risks associated with supply chain attacks and the reliance on third-party integrations within modern software-as-a-service (SaaS) ecosystems. Companies are urged to maintain a thorough inventory of third-party applications, regularly audit access permissions, and implement robust monitoring for unusual activity to protect their data. The investigation into the full extent of the Gainsight breach and its repercussions remains ongoing.
