Salesforce investigates customer data theft via Gainsight breach

Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers.

The cloud-based software company noted that this doesn’t stem from a vulnerability in its customer relationship management (CRM) platform since all evidence points to the malicious activity being related to the app’s external connection to Salesforce.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” it said in a Thursday morning advisory.

“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.”

Salesforce has alerted all impacted customers of this incident and advised those requiring further assistance to reach out to the Salesforce Help team.

While the company hasn’t provided more details regarding these attacks, this incident is similar to the August 2025 Salesloft breach, when an extortion group known as “Scattered Lapsus$ Hunters” stole sensitive information, including passwords, AWS access keys, and Snowflake tokens, from customers’ Salesforce instances, using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce.

The ShinyHunters extortion group told at the time that the Salesloft data theft attacks affected around 760 companies, resulting in the theft of 1.5 billion Salesforce records.

Companies known to have been impacted in the Salesloft attacks include Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Nutanix, Qualys, and Cato Networks, among many others.

Today, in messages exchanged with , ShinyHunters claimed they gained access to another 285 Salesforce instances after breaching Gainsight via secrets stolen in the Salesloft drift breach.

Gainsight previously confirmed it was breached via stolen OAuth tokens linked to Salesloft Drift and said the attackers accessed business contact details, including names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.

reached out to Gainsight with questions about the data theft attacks related to Gainsight applications, but a response was not immediately available.

Update November 21, 15:30 EST: Palo Alto Networks reached out after the article was published to clarify that it wasn’t impacted by the Gainsight supply chain attack.

“On November 19, 2025, Palo Alto Networks identified errors within our internal Gainsight integration and immediately disabled the application,” a spokesperson told .

“Based on the results of our internal forensic investigation using Cortex XSIAM and definitive confirmation from Salesforce that our specific instance was not affected, we can confirm we were not impacted by this security event. At no time were any Palo Alto Networks products or services impacted.”

.ia_ad {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
padding: 0;
overflow: hidden;
}

.ia_lef {
flex: 1;
max-width: 200px;
height: auto;
display: flex;
align-items: stretch;
}

.ia_lef a {
display: flex;
width: 100%;
height: 100%;
}

.ia_lef a img {
width: 100%;
height: 100%;

border-radius: 8px 0 0 8px;
margin: 0;
display: block;
}

.ia_rig {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}

.ia_rig h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}

.ia_rig p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}

.ia_button {
background-color: #FFF;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
cursor: pointer;
padding: 10px 20px;
width: fit-content;
}

.ia_button a {
text-decoration: none;
color: inherit;
display: block;
}

@media (max-width: 600px) {
.ia_ad {
flex-direction: column;
align-items: center;
}

.ia_lef {
max-width: 100%;
}

.ia_lef a img {
border-radius: 8px 8px 0 0;
}

.ia_rig {
padding: 15px;
width: 100%;
}

.ia_button {
width: 100%;
margin: 0px auto;
}
}

The 2026 CISO Budget Benchmark

It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.

Learn how top leaders are turning investment into measurable impact.

Download Now