Massive Data Breach Exposes Over 200 Companies via Gainsight’s Salesforce Integration
In a significant cybersecurity incident, Google has confirmed that hackers have infiltrated the Salesforce databases of more than 200 companies through vulnerabilities in applications developed by Gainsight, a customer success platform. This breach underscores the escalating risks associated with third-party integrations in cloud-based services.
On November 20, 2025, Salesforce disclosed that certain customer data had been compromised via Gainsight-published applications connected to Salesforce. These applications, installed and managed directly by customers, became the conduit for unauthorized access. Salesforce emphasized that there is no indication the breach resulted from any vulnerability within the Salesforce platform itself, suggesting the issue originated from Gainsight’s external connection to Salesforce.
Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, stated that the company is aware of more than 200 potentially affected Salesforce instances. This revelation highlights the extensive reach of the breach and the potential impact on a vast array of businesses relying on these integrated services.
The hacking collective known as Scattered Lapsus$ Hunters, which includes the notorious ShinyHunters group, has claimed responsibility for these attacks. In a Telegram channel, the group listed several high-profile companies as victims, including Atlassian, CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
CrowdStrike responded by stating that they are not affected by the Gainsight issue and that all customer data remains secure. However, the company confirmed the termination of a suspicious insider for allegedly passing information to hackers. Verizon acknowledged awareness of the unsubstantiated claim by the threat actor but did not provide further details. Malwarebytes and Thomson Reuters indicated that their security teams are actively investigating the matter. DocuSign’s Chief Information Security Officer, Michael Adams, reported no indication of data compromise but has taken precautionary measures, including terminating all Gainsight integrations.
This incident is part of a broader pattern of cyberattacks targeting third-party service providers to gain access to larger networks. Earlier this year, similar breaches occurred involving Salesloft and Drift, where hackers exploited authentication tokens to access linked Salesforce instances. The ShinyHunters group has been implicated in these previous attacks, demonstrating a persistent threat to cloud-based platforms and their integrations.
The Gainsight breach serves as a stark reminder of the vulnerabilities inherent in third-party integrations. Companies must exercise due diligence in vetting and monitoring their external partners, ensuring robust security measures are in place to protect sensitive data. Regular audits, stringent access controls, and comprehensive incident response plans are essential components of a resilient cybersecurity strategy.
As investigations continue, affected companies are urged to assess the extent of the breach, communicate transparently with stakeholders, and implement corrective actions to prevent future incidents. The cybersecurity community must remain vigilant, sharing intelligence and best practices to fortify defenses against increasingly sophisticated cyber threats.
