- Gainsight apps allowed unauthorized access to Salesforce data, resulting in revocation and deletion of AppExchange tokens.
- August 2025 Salesloft breach incident where OAuth tokens exposed 1.5 billion records
- ShinyHunters used stolen secrets to steal customer contact information and license information from Gainsight
The Salesloft Drift incident also appears to have affected Gainsight, potentially resulting in hundreds of companies losing their sensitive data to hackers.
Salesforce confirmed that “unusual activity” has occurred regarding apps published by Gainsight and connected to Salesforce.
Salesforce says some of these apps “may have allowed unauthorized access to some customers’ Salesforce data,” forcing the company to revoke all active access and refresh tokens associated with Gainsight-published apps connected to Salesforce. Additionally, the apps have been temporarily removed from the AppExchange.
ShinyHunters takes responsibility
“There is no indication that this issue is due to a vulnerability in the Salesforce platform,” the message reads. “The activity appears to be related to the app’s remote connection to Salesforce. We have immediately notified known affected customers and will continue to provide any necessary updates.”
Gainsight is a company that creates a “customer success platform” that helps companies manage and improve customer relationships after the sale (eg onboarding, adoption, retention or renewal).
The company also develops several applications and integrations, some of which run natively within Salesforce, while others connect via APIs.
At the same time, BeepTeam claims the incident is actually a continuation of the August 2025 Salesloft breach.
In this case, a group of criminals called “Scatter$Loop Hunters” stole the OAuth tokens that Salesloft had used for its Drift AI chat integration with Salesforce, giving them direct API access to customers’ Salesforce data.
Using the stolen tokens, they gained access to approximately 760 Salesforce instances and exfiltrated 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.
Now, a member of the same group, ShinyHunters, told the publication that they broke into Gainsight using secrets stolen during the Salesloft incident.
Gainsight also confirmed this attack, saying the perpetrators took company contact information such as names, company email addresses, phone numbers, region/location information, license information, and support request content.