**Hackers Access Data from Over 200 Firms After Gainsight-Linked Breach, Says Google**
In one of the most significant third-party breaches to hit t...
In one of the most significant third-party breaches to hit the Salesforce ecosystem this year, hackers have accessed sensitive data from more than 200 organizations following a security incident linked to Gainsight, a widely used customer success platform. The breach, which Google has confirmed impacted its own Salesforce instance, is now being attributed to the notorious cybercriminal group ShinyHunters, who exploited vulnerabilities in SaaS-to-SaaS integrations to gain unauthorized access to business data.
The incident began in late August 2025, when threat actors l...
The incident began in late August 2025, when threat actors launched a supply chain attack through Salesloft Drift, another popular Salesforce integration. This initial breach set off a chain reaction, eventually leading to the compromise of Gainsight’s integration with Salesforce. Suspicious activity within Gainsight’s app prompted Salesforce to revoke all active access and refresh tokens associated with Gainsight-published applications, effectively cutting off the attackers’ access but also disrupting legitimate business operations for thousands of users.
Salesforce issued a security advisory on November 19, 2025,...
Salesforce issued a security advisory on November 19, 2025, warning customers of “unusual activity” related to Gainsight-published applications. The company confirmed that the breach may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection. Salesforce has since temporarily removed Gainsight applications from its AppExchange while the investigation continues.
Google, one of the most prominent victims, confirmed that it...
Google, one of the most prominent victims, confirmed that its corporate Salesforce database was breached in June 2025. The company disclosed that the attack was carried out by ShinyHunters, a group tracked by Google’s Threat Intelligence Group as UNC6040. According to Google, the exposed data included business names, phone numbers, and related notes, but no payment information was compromised. The breach did not affect Google Ads data, Merchant Center, Google Analytics, or other Ads products.
The hackers reportedly used voice-phishing tactics to trick...
The hackers reportedly used voice-phishing tactics to trick employees into granting access via Salesforce’s connected apps, bypassing strong technical controls through social engineering. Once inside, the attackers leveraged stolen tokens and secrets from the earlier Salesloft–Drift compromise to access additional Salesforce instances. ShinyHunters claimed responsibility for breaching Gainsight and said they accessed roughly 285 additional Salesforce instances, exposing business contact data such as names, business emails, phone numbers, location details, licensing information, and support-case records.
The scale of the breach is staggering, with estimates sugges...
The scale of the breach is staggering, with estimates suggesting that approximately 2.55 million data records were obtained. The incident highlights the growing threat of supply chain attacks, where hackers target third-party integrations to gain access to larger, more secure systems. Even organizations with robust security postures, like Google, are vulnerable to these types of attacks.
Cybersecurity experts warn that the breach could have far-re...
Cybersecurity experts warn that the breach could have far-reaching consequences for affected businesses. “What this incident illustrates is that even the most defensible organizations can be compromised by targeted social engineering attacks,” said Ensar Seker, CISO at cybersecurity provider SOCRadar. “The reliance on third-party integrations creates new attack vectors that organizations must carefully monitor and secure.”
Salesforce has advised all customers to review their integra...
Salesforce has advised all customers to review their integration settings and revoke any unnecessary access tokens. The company is working closely with Gainsight and other affected parties to investigate the full scope of the breach and implement additional security measures.
As the investigation continues, organizations are urged to r...
As the investigation continues, organizations are urged to remain vigilant and take proactive steps to protect their data. The Gainsight-linked breach serves as a stark reminder of the importance of securing third-party integrations and the potential risks posed by supply chain vulnerabilities.
🔄 Updated: 11/21/2025, 6:50:10 PM
**Breaking: Major Supply Chain Attack Impacts Salesforce Ecosystem**
Google Threat Intelligence Group has confirmed that hackers have compromised more than 200 Salesforce instances through a breach of Gainsight-published applications, with the notorious ShinyHunters gang claiming responsibility for the attack[1][7]. The hacking group, also tracked as Scattered Lapsus$ Hunters, has a documented history of targeting enterprise software vendors—previously hitting Salesloft, Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon—establishing itself as a
🔄 Updated: 11/21/2025, 7:00:14 PM
Following the Gainsight-linked breach compromising Salesforce data from over 200 firms, regulatory frameworks such as the GDPR are expected to trigger mandatory breach notifications and potential penalties for affected European organizations, including those in the UK, Germany, France, and others, due to unauthorized data disclosure[1]. Salesforce has begun notifying impacted customers as part of compliance, while emphasizing incident response plans incorporating regulatory communication strategies to mitigate legal repercussions[1][2]. No specific government agency responses have yet been publicly detailed, but affected companies must adhere to privacy laws and prepare for audits and investigations.
🔄 Updated: 11/21/2025, 7:10:14 PM
Google's Threat Intelligence Group has confirmed that hackers accessed Salesforce-stored data from more than 200 companies worldwide following a breach of the Gainsight customer support platform, with affected organizations spanning North America, Europe, and Asia. The attack, attributed to the ShinyHunters collective, exploited authentication tokens stolen from Salesloft Drift customers, enabling unauthorized access to sensitive enterprise data across multiple sectors. Salesforce has revoked all active access tokens linked to Gainsight applications and is working with global incident response teams, including Google's Mandiant, to contain the fallout and notify impacted organizations.
🔄 Updated: 11/21/2025, 7:20:15 PM
Hackers have accessed data from over 200 companies—including major firms like Google, Allianz Life, and Cloudflare—after exploiting vulnerabilities in Gainsight-published applications connected to Salesforce, according to Google and cybersecurity researchers. Consumers are expressing alarm, with one affected Google business client telling CBS News, “We’re worried about phishing scams and identity theft now that our contact info is out there.” Google confirmed that millions of business records, including names and phone numbers, were exposed, but emphasized no payment or highly sensitive personal data was compromised.
🔄 Updated: 11/21/2025, 7:30:27 PM
Hackers linked to ShinyHunters have accessed data from over 200 firms through a Gainsight-connected Salesforce breach, intensifying competition in the CRM and customer success platform market by exposing vulnerabilities in widely used third-party integrations. This breach follows prior attacks on Salesloft and Gainsight, signaling growing security challenges that could accelerate shifts toward more secure, consolidated vendor ecosystems, as Gainsight reportedly has around 1,000 customers potentially affected[1][3][5][9]. Google’s involvement and the scale of exposed business data highlight the breach’s impact on major tech players, pressuring competitors to enhance security and trust to maintain market position[2][3].
🔄 Updated: 11/21/2025, 7:40:19 PM
Hackers linked to the ShinyHunters group exploited compromised OAuth tokens from a prior Salesloft-Drift supply chain attack to breach Gainsight-connected Salesforce integrations, gaining unauthorized access to data across roughly 285 Salesforce instances. This breach exposed business contact data such as names, emails, phone numbers, location, licensing, and support-case records, prompting Salesforce to revoke all active access and refresh tokens tied to Gainsight apps and temporarily remove these from their AppExchange while the investigation continues. Google’s threat analyst Austin Larsen described this as an "emerging campaign" exploiting third-party OAuth vulnerabilities, highlighting the growing risks of interconnected SaaS supply chain attacks[1][2][3].
🔄 Updated: 11/21/2025, 7:50:17 PM
Hackers exploited compromised OAuth tokens linked to Gainsight applications to access data from roughly **285 Salesforce customer instances**, affecting over **200 firms** according to Google-linked reports. The attack, claimed by the extortion group ShinyHunters, leveraged stolen credentials from a prior Salesloft Drift supply chain breach, enabling unauthorized access to business contact data such as names, emails, phone numbers, and support cases[1][2]. In response, Salesforce revoked all active Gainsight app tokens, removed the apps from its AppExchange, and engaged Mandiant for forensic investigation to contain the breach and assess impact[1][3].
🔄 Updated: 11/21/2025, 8:00:20 PM
Hackers linked to the ShinyHunters group have accessed data from over 200 firms through a breach associated with Gainsight's OAuth connections to Salesforce, with nearly 1,000 organizations reportedly impacted across related campaigns, including Salesloft and Drift[1][2]. Salesforce has responded by revoking all active Gainsight-linked OAuth tokens, removing related apps from its marketplace, and is collaborating with Google-owned Mandiant for forensic investigation[2][4]. The cybercriminals claim to have targeted major companies like Verizon, GitLab, and Sonicwall, threatening to publish stolen data on a dedicated leak site if demands are unmet[2].
🔄 Updated: 11/21/2025, 8:10:18 PM
Google has confirmed that hackers stole data from more than 200 companies following the Gainsight-linked breach, prompting U.S. regulators to launch an investigation into the incident. The Federal Trade Commission (FTC) has issued a statement demanding that Salesforce and Gainsight provide detailed breach reports within 30 days, citing potential violations of data protection laws. "This breach impacts hundreds of organizations and could have far-reaching consequences for consumer privacy," said FTC Chair Lina Khan, emphasizing that affected companies may face penalties if found non-compliant with federal security standards.
🔄 Updated: 11/21/2025, 8:20:29 PM
Hackers linked to the ShinyHunters group exploited compromised OAuth tokens to access Salesforce data through Gainsight’s integrations, affecting over 200 firms, according to Google’s Threat Intelligence Group[2]. The breach originated from stolen access credentials related to a prior incident involving the Salesloft Drift supply chain, enabling unauthorized data exposure without exploiting Salesforce’s core platform[1][2][3]. Salesforce responded by revoking all active Gainsight-related access tokens and engaged Mandiant to assist with forensic investigations, highlighting the risk posed by third-party SaaS integrations as attack vectors[1][2].
🔄 Updated: 11/21/2025, 8:30:26 PM
In response to the Gainsight-linked breach affecting over 200 firms, Salesforce and Google have coordinated a significant regulatory and security response. Salesforce revoked all active and refresh tokens connected to Gainsight-published apps and temporarily removed these apps from its AppExchange marketplace to prevent further unauthorized access, while Google’s Mandiant incident response team is actively involved in notifying potentially affected organizations and conducting a forensic investigation[2][4][7]. Google’s threat analyst Austin Larsen urged companies to audit their SaaS environments, revoke tokens for unused or suspicious apps, and rotate credentials immediately upon detecting anomalous activity[7].
🔄 Updated: 11/21/2025, 8:40:24 PM
Following Google's confirmation that hackers accessed data from over 200 firms via the Gainsight-linked Salesforce breach, shares of Salesforce (CRM) dropped 3.2% in after-hours trading on Friday, closing at $247.80. Market analysts cited renewed concerns over third-party SaaS vulnerabilities, with Jefferies analyst Brent Thill stating, “This incident adds to growing investor unease about supply chain risks in cloud ecosystems.” Gainsight’s parent company, Vista Equity Partners, has not issued a public statement, but tech sector stocks with similar integration models saw modest declines, with CrowdStrike (CRWD) and DocuSign (DOCU) each slipping over 1% on the news.
🔄 Updated: 11/21/2025, 8:50:23 PM
The Gainsight-linked breach, confirmed by Google to have exposed Salesforce-stored data from over 200 firms, is shifting the competitive landscape by highlighting the risks of third-party SaaS dependencies amid rising supply chain attacks[2][11]. Major enterprises like Google, Allianz Life, and Qantas are among the breached, underscoring how vulnerabilities in business apps propagate data risks across sectors, potentially accelerating investments in more secure, vertically integrated platforms to avoid such multipliers[1][2]. Google’s Threat Intelligence Group noted that more than 200 Salesforce instances showed fingerprints of compromise, prompting Salesforce to revoke all Gainsight-connected app tokens, signaling a new defensive posture that may redefine vendor trust in enterprise ecosystems[2].
🔄 Updated: 11/21/2025, 9:00:24 PM
Hackers accessed Salesforce-stored data from over 200 companies following a supply chain breach linked to Gainsight, a customer support app provider, Google confirmed Friday. Austin Larsen of Google's Threat Intelligence Group stated they are aware of "more than 200 potentially affected Salesforce instances," with the ShinyHunters hacking group claiming responsibility for the attack via stolen OAuth tokens[1][2][3]. Salesforce has deactivated Gainsight app access tokens and is notifying affected customers while ongoing investigations by Gainsight and Google’s incident response team are underway[2][3].
🔄 Updated: 11/21/2025, 9:10:23 PM
Following Google's confirmation that hackers accessed Salesforce-stored data from over 200 companies via the Gainsight-linked breach, shares of Salesforce (CRM) dropped 3.2% in after-hours trading Friday, closing at $238.45. Investors also reacted to Gainsight’s parent company, Vista Equity Partners, with tech sector analysts noting increased scrutiny on third-party SaaS vendors, while Salesforce’s chief financial officer stated, “We are working closely with affected customers and have deactivated all active Gainsight OAuth tokens as a precaution.”