The incident at **Gainsight** stemmed from a downstream effect of the **August 2025 Salesloft breach**, where the **Scattered Lapsus$ Hunters** group stole **OAuth tokens** tied to Salesloft’s Drift AI chat integration with Salesforce. These tokens granted unauthorized API access to **760 Salesforce instances**, leading to the exfiltration of **1.5 billion records**, including passwords, AWS keys, and Snowflake tokens.A subgroup, **ShinyHunters**, exploited the stolen credentials to breach **Gainsight’s systems**, extracting **customer contact data** (names, business emails, phone numbers, regional details), **licensing information**, and **support case contents**. Salesforce responded by **revoking all active Gainsight-associated tokens** and **temporarily removing its apps from the AppExchange** to mitigate further exposure. While Salesforce clarified that its platform itself was not vulnerable, the breach originated from **Gainsight’s external app connections**, compromising sensitive corporate and customer data across hundreds of organizations.
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI0292402112125",
"linkid": "gainsight",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds (Potential)',
'industry': 'SaaS/Enterprise Software',
'name': 'Gainsight',
'type': 'Customer Success Platform Provider'},
{'industry': 'Multiple (Salesforce Ecosystem)',
'location': 'Global',
'name': 'Salesforce Customers (via Gainsight Apps)',
'type': ['B2B Enterprises', 'SaaS Users']},
{'customers_affected': '760 Salesforce Instances (1.5B '
'Records Exfiltrated)',
'industry': 'SaaS',
'name': 'Salesloft (Upstream Breach)',
'type': 'Sales Engagement Platform'}],
'attack_vector': ['Stolen OAuth Tokens', 'API Abuse', 'Supply Chain Attack'],
'customer_advisories': ['Revoked Tokens', 'App Removal from AppExchange'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['1.5 Billion (Salesloft Breach)',
'Undisclosed (Gainsight '
'Breach)'],
'personally_identifiable_information': ['Business PII (Names, '
'Emails, Phone '
'Numbers)'],
'sensitivity_of_data': ['Moderate to High (Business PII, '
'Credentials, API Keys)'],
'type_of_data_compromised': ['Business Contact Details '
'(Names, Emails, Phone Numbers)',
'Licensing Information',
'Support Case Contents',
'Regional/Location Details',
'Passwords (Salesloft Breach)',
'AWS Keys (Salesloft Breach)',
'Snowflake Tokens (Salesloft '
'Breach)']},
'description': 'Gainsight applications enabled unauthorized access to '
'Salesforce customer data due to stolen OAuth tokens linked to '
'the August 2025 Salesloft breach. The threat actor group '
'ShinyHunters exploited these tokens to exfiltrate Gainsight '
'customer contact and licensing data. Salesforce revoked all '
'active and refresh tokens associated with Gainsight-published '
'apps and temporarily removed them from the AppExchange. The '
'incident is a downstream effect of the Salesloft Drift '
'breach, where 1.5 billion records (including passwords, AWS '
'keys, and Snowflake tokens) were exfiltrated from 760 '
'Salesforce instances by the Scattered Lapsus$ Hunters group.',
'impact': {'brand_reputation_impact': ['Loss of Trust', 'Negative Publicity'],
'data_compromised': True,
'identity_theft_risk': ['Business Contact Details Exposed'],
'operational_impact': ['Token Revocation',
'AppExchange Removal',
'Customer Notifications'],
'systems_affected': ['Salesforce Instances (760 in Salesloft '
'breach)',
'Gainsight-published Applications']},
'initial_access_broker': {'data_sold_on_dark_web': ['Likely (Historical '
'ShinyHunters Behavior)'],
'entry_point': 'Stolen OAuth Tokens (Salesloft '
'Drift Integration)',
'high_value_targets': ['Salesforce Customer Data',
'Gainsight Licensing Data']},
'investigation_status': 'Ongoing (Customer Notifications in Progress)',
'motivation': ['Data Theft',
'Financial Gain (Potential Dark Web Sale)',
'Reputation Damage'],
'post_incident_analysis': {'root_causes': ['Weak OAuth Token Security '
'(Salesloft)',
'Supply Chain Vulnerability '
'(Gainsight Apps Relying on '
'Compromised Tokens)',
'Insufficient API Access '
'Controls']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'TechRadar'},
{'source': 'BleepingComputer'},
{'source': 'Salesforce Public Announcement'}],
'response': {'communication_strategy': ['Direct Customer Notifications',
'Public Statement'],
'containment_measures': ['Token Revocation (OAuth/Refresh '
'Tokens)',
'AppExchange Removal'],
'incident_response_plan_activated': True,
'remediation_measures': ['Customer Notifications',
'Investigation']},
'stakeholder_advisories': ['Direct Notifications to Affected Customers'],
'threat_actor': ['ShinyHunters', 'Scattered Lapsus$ Hunters'],
'title': 'Gainsight Unauthorized Salesforce Data Access via Stolen OAuth '
'Tokens',
'type': ['Data Breach', 'Unauthorized Access', 'Credential Theft'],
'vulnerability_exploited': 'Weak or Stolen OAuth Token Management (External '
'App Connection to Salesforce)'}