Salesforce Customers Hacked Again Via Gainsight TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesDeja Vu: Salesforce Customers Hacked Again, Via GainsightDeja Vu: Salesforce Customers Hacked Again, Via GainsightbyNate Nelson, Contributing WriterNov 21, 20255 Min ReadApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesСloud SecurityApplication SecurityVulnerabilities & ThreatsNewsDeja Vu: Salesforce Customers Hacked Again, Via GainsightIn a repeat of similar attacks during the summer, threat actors affiliated with the ShinyHunters extortion group used a third-party application to steal organizations' Salesforce data.Nate Nelson, Contributing WriterNovember 21, 20255 Min ReadSource: Lobro via Alamy Stock PhotoIn a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations' Salesforce instances via a third-party integration.Following a spring vishing campaign targeting organizations' Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft's Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations' Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.For example, one of those impacted Salesforce Drift customers was Gainsight, a program for managing customer retention and satisfaction, and itself a Salesforce-connected app like Drift. The company admitted in a security alert that attackers accessed its Drift instance, and the business data associated with it, including business email addresses, product licensing information, and content from customer support cases.Now, a new, related threat cluster has performed an attack just like the last, but in place of Drift they've used Gainsight, another third-party app widely integrated into Salesforce. And attackers have once again stolen OAuth tokens which they can use to compromise customers' Salesforce instances.Related:US Creates 'Strike Force' to Take Out SE Asian Scam CentersBrian Soby, chief technology officer (CTO) and co-founder at AppOmni, marvels at how easy it has all looked. "I think they just saw the success of the Drift campaign and said, 'Oh, we should do that instead,'" he says. "'Phishing all of these users is way too much work. Let's just go pop a supply chain and take all their credentials and then we're good to go.'"Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. Dark Reading has not independently confirmed that these organizations have been affected.Salesforce's Response: a Double-Edged SwordSalesforce clarified in a security advisory that "there is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app's external connection to Salesforce." Still, upon detecting the malicious activity, the company took two major steps to contain the damage. First, it revoked all active access and refresh tokens associated with apps published with Gainsight — and Salesforce did it so quickly that Gainsight was initially unaware and attributed the connection failure to a technical error. Related:Coyote, Maverick Banking Trojans Run Rampant in BrazilSalesforce also temporarily removed those apps from its AppExchange app marketplace. Though its intentions may have been good, and these steps useful for stemming the attackers, Soby warns that it's a double-edged sword."When Salesforce protected their customers legitimately, and deleted all of those tokens, they also deleted all the records of the organizations that they were connected to. So now you have no idea which users and activity you need to go investigate, to find out if something was stolen. And you have no idea what Gainsight used to have the ability to access, because that's all been deleted. So it safeguards customers, but it puts them in a tough position."He recalls how Salesforce did the same thing in the case of Drift, leaving no records behind for investigations. "Is it net good? Yeah, it's good that Salesforce removed the ongoing access of an active breach. Does it come with tradeoffs? Heavily."Related:GlassWorm Returns, Slices Back into VS Code ExtensionsThe Gainsight Breach Doesn't End with SalesforceWhat's unfortunate is just how simply organizations could have protected themselves from both the Drift and Gainsight attacks, and any similar or follow-on attacks to come.Soby points out how "with Drift, they came through the application, hit SaaS, and then they started scouring a bunch of different places looking for poorly managed credentials. Well, they shouldn't have had access to 95% of that stuff, because it's a sales intelligence app. Why are you giving Drift broad access to all of your environments?" The solution is that "organizations should [dictate] specifically that in Salesforce, it can access, accounts, opportunities, and contacts, and nothing else. That's going to mitigate the problem," he says.More broadly, organizations need to rethink their relationship with their software-as-a-service (SaaS) platforms. "SaaS applications in general sell themselves on: it's managed for you. It's totally secure, you don't have to do much, just let your business unit run with it. And as it turns out, that's a terrible strategy, because your business units are not that incentivized around security. They're trying to sell, or they're trying to do customer support or marketing. That's what's top of mind. They're not security-minded people," he says."So you end up with these situations where the security team thinks that the business unit has it covered, and the business unit doesn't even necessarily realize that's their responsibility," he continues. "There are vendor security teams this week saying: Do we use Gainsight? They're going back to their procurement people and their legal people and they're saying: 'Hey, do we have a contract with a company called Gainsight?'"In the scramble to identify and secure their Salesforce environments, organizations might also miss that Gainsight also integrates with a wide variety of other platforms, from Slack and Microsoft Teams to HubSpot, Zendesk, ServiceNow, Jira, Snowflake, and many more. All else being equal, there's no reason why any software integrated with Gainsight would be at any less risk today than Salesforce.Soby thinks that "if you [tell a company] that you need to unplug Gainsight right now, because it's compromised, I bet 99% of companies don't even know where to go. They'll probably go into Salesforce. Do you realize it's also plugged in a Snowflake? Do you realize it's plugged into a workspace? Absolutely not."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The latest incident, mirroring a summer campaign, highlights a concerning trend: organizations are vulnerable to supply chain attacks via third-party applications integrated with Salesforce. Threat actors, affiliated with ShinyHunters, exploited access gained through Salesloft’s Drift application, gaining access to hundreds of Salesforce environments. This tactic, repeated with Gainsight, a program for managing customer retention and satisfaction, underscores the risks associated with granting broad permissions to SaaS applications.

Initial investigations, attributed to Google Threat Intelligence Group, identified over 200 impacted customer instances, with a potential reach of nearly 1,000 organizations, though independent confirmation of these numbers remains pending. Salesforce clarified that the issue stemmed from app access, not a platform vulnerability, and swiftly revoked compromised tokens, demonstrating a reactive response. However, as AppOmni CTO Brian Soby notes, this action simultaneously removed crucial records of connected organizations, hindering forensic investigations and creating a significant challenge for affected companies.

The repeated success of these attacks, exploiting integrations with platforms like Drift and Gainsight, reveals a critical oversight: organizations often extend excessive privileges to applications, creating vulnerable access points. Soby argues that organizations should meticulously dictate what SaaS applications can access within Salesforce— limiting access to accounts, opportunities, and contacts— to mitigate this risk. This strategy is particularly relevant given the increasing prevalence of SaaS applications integrated across multiple platforms, including Slack, Microsoft Teams, Zendesk, and ServiceNow.

The Gainsight breach amplifies a larger concern about the security posture of SaaS deployments. As Soby points out, many organizations adopt a “managed for you” approach with SaaS, assuming the vendor handles security. This creates a critical blind spot, as organizations fail to proactively manage security permissions and access controls for these integrated applications. The incident with Gainsight, coupled with the prior Drift attack, underscores the necessity for a more discerning approach to SaaS integrations, demanding organizations to actively manage and limit the capabilities of supporting software. It also highlights the potential for widespread damage if organizations fail to adopt a security-conscious strategy when selecting and integrating SaaS solutions.