3 Minutes
Google has confirmed what security researchers feared: a chain attack that began through Gainsight apps led to a large-scale data theft from Salesforce, with more than 200 global companies potentially affected. New details are now emerging about how attackers moved from a third-party app into enterprise records.
How the attack played out
According to reports and statements from affected vendors, the intrusion started through Gainsight — a popular customer-success and integration tool — and allowed attackers to access data stored in Salesforce instances. Hackers apparently leveraged authentication tokens from prior breaches of third-party customers, giving them a way to impersonate integrations and download data from connected Salesforce orgs.
TechCrunch and other outlets say the group calling itself Scattered Lapsus$ Hunters, which includes members from ShinyHunters and other teams, claimed responsibility. In conversations with media, ShinyHunters said they used access gained via an earlier compromise of Salesloft customers and stolen Drift tokens to reach Gainsight and, from there, Salesforce.
Google added that a large number of Salesforce instances are likely impacted. Salesforce pushed back on the idea of a platform-wide flaw, saying the incident did not stem from a vulnerability in its core service. Still, the chain of third-party integrations shows how a breach in one vendor can cascade across many customers.
Who’s named — and who denies it
Scattered Lapsus$ Hunters listed several high-profile companies among the victims, including Atlassian, CrowdStrike, DocuSign and LinkedIn. Some firms immediately pushed back: CrowdStrike and DocuSign said they have found no evidence of data exfiltration from their systems. CrowdStrike also disclosed it fired an employee suspected of collaborating with attackers.
Other organizations such as Verizon, Malwarebytes and Thomson Reuters said they are investigating the claims but have not provided definitive conclusions. The mixed responses underline the uncertainty that follows large supply-chain style breaches, where public accusations may outpace forensic results.
Gainsight is working with incident responders at Mandiant to trace the root cause, and Salesforce temporarily disabled integration tokens tied to Gainsight as a precaution while investigations continue.
For enterprises, the episode is a reminder to audit third-party app connections, rotate and revoke stale tokens, and monitor access patterns for unusual downloads or API behavior. When integrations are compromised, the blast radius can reach far beyond a single vendor — and validation from multiple investigators is often needed before the full impact is clear.
Leave a Comment