Gainsight hacked

Massive Gainsight Supply Chain Attack Compromises 200+ Salesforce Customer Instances: ShinyHunters Threat Group Exploits OAuth Token Vulnerabilities

Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack.

This massive data breach represents one of the most significant supply chain attacks of 2025, demonstrating how sophisticated threat actors systematically exploit trusted third-party integrations to compromise hundreds of organizations simultaneously. The Gainsight security incident exemplifies the cascading risk inherent in modern cloud ecosystems where vendor compromises instantly expose entire customer bases to data theft and extortion.

On Thursday, Salesforce disclosed a breach of “certain customers’ Salesforce data” — without naming affected companies — that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.

Critical threat landscape developments:

Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.”

The unprecedented scope of this supply chain attack affecting enterprise customers across multiple industries underscores the urgent need for comprehensive third-party risk management, OAuth security hardening, and vendor security assessment programs capable of preventing authentication token compromise at scale.

Attribution and threat actor profile:

After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel.

The Scattered Lapsus$ Hunters collective—comprising ShinyHunters, Scattered Spider, and Lapsus$ gang members—has orchestrated a sophisticated multi-stage campaign exploiting OAuth token vulnerabilities across interconnected SaaS platforms, demonstrating advanced persistence tactics and systematic supply chain infiltration methodologies.

This comprehensive analysis examines the technical attack vectors enabling the Gainsight breach, quantifies enterprise exposure from third-party security incidents, profiles the Scattered Lapsus$ Hunters threat actor collective, and provides actionable security frameworks for preventing OAuth token compromise and managing vendor security risks.

Understanding the Gainsight Breach: Technical Attack Chain and Methodology

The Supply Chain Attack Vector

What is Gainsight and why does it access customer data?

Gainsight operates as a customer success platform enabling organizations to manage post-sale customer relationships including onboarding, adoption tracking, retention analysis, and renewal forecasting. These functions require deep integration with customer relationship management systems, particularly Salesforce, necessitating broad data access permissions.

OAuth integration architecture creating attack surface:

Gainsight applications connect to Salesforce via OAuth 2.0 authentication, obtaining delegated access tokens that enable:

  • Reading customer account records and contact information
  • Accessing opportunity pipelines and sales forecasts
  • Retrieving support ticket histories and case data
  • Analyzing product usage telemetry and engagement metrics
  • Synchronizing customer health scores and success plans

When Gainsight’s infrastructure becomes compromised, attackers inherit these legitimate access permissions, enabling data exfiltration that appears as normal application activity, bypassing traditional security controls.

The Multi-Stage Attack Campaign

Hackers with the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight thanks to their previous hacking campaign that targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift.

Attack timeline and progression:

Stage 1: Initial Salesloft Compromise (March 2025)

  • Attackers compromised Salesloft’s GitHub account through credential theft
  • Harvested OAuth client secrets and API keys from repositories
  • Mapped Salesloft’s customer integration architecture
  • Identified downstream targets with valuable data access

Stage 2: Drift Customer Token Theft (August 2025)

  • In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their linked Salesforce instances and download their contents.
  • Compromised approximately 760 Salesforce customer instances
  • Exfiltrated 1.5 billion records including credentials and integration secrets
  • Discovered Gainsight OAuth tokens within stolen Salesloft customer data

Stage 3: Gainsight Infrastructure Infiltration (September-October 2025)

  • At the time, Gainsight confirmed it was among the victims of that hacking campaign.
  • “Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us,” a spokesperson for the ShinyHunters group told TechCrunch.
  • Attackers leveraged stolen Gainsight credentials from Salesloft breach
  • Gained access to Gainsight’s OAuth token infrastructure
  • Retrieved refresh tokens for 200+ Salesforce customer instances

Stage 4: Mass Data Exfiltration (October-November 2025)

  • Systematic API calls to Salesforce instances using Gainsight tokens
  • Extraction of customer relationship data, contact records, opportunity information
  • Harvesting of support case details and customer success metrics
  • Collection of integration credentials for further lateral movement

Stage 5: Extortion Campaign Preparation (November 2025)

  • In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week.
  • Data cataloging and victim identification
  • Preparation of leak site infrastructure
  • Ransom demand formulation for affected organizations

Why Salesforce Platforms Became Prime Targets

The strategic value of CRM data:

Salesforce instances contain comprehensive business intelligence making them high-value targets:

Customer relationship intelligence:

  • Complete account hierarchies with organizational structures
  • Decision-maker contact information including email and phone
  • Relationship histories documenting interactions and communications
  • Competitive positioning and deal progression data
  • Contract terms, pricing information, and renewal timelines

Operational and financial data:

  • Sales pipelines with revenue forecasts and probability weightings
  • Product adoption metrics and feature utilization patterns
  • Support ticket histories revealing technical issues and complaints
  • Customer health scores predicting churn and expansion opportunities
  • Financial data including annual contract values and payment terms

Strategic business information:

  • Go-to-market strategies and sales methodologies
  • Competitive intelligence from win/loss analysis
  • Market segmentation models and targeting criteria
  • Partnership ecosystems and channel relationships
  • Product roadmaps and strategic initiatives

Affected Organizations and Impact Assessment

Confirmed and Claimed Victims

The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

High-profile organizations named by attackers:

CompanyIndustryVerification StatusPotential Data Exposure
AtlassianEnterprise SoftwareUnconfirmedCustomer accounts, support tickets, product usage
CrowdStrikeCybersecurityDenied – “Not affected”N/A – Claims disputed
DocusignDigital TransactionInvestigatingContract data, signature workflows, customer contacts
F5Network SecurityNo responseCustomer deployments, support cases, licensing
GitLabDevOps PlatformNo responseCustomer accounts, repository metadata, support data
LinkedInProfessional NetworkNo responseEnterprise customer data, advertising accounts
MalwarebytesCybersecurityInvestigatingCustomer accounts, threat intelligence, support data
SonicWallNetwork SecurityNo responseFirewall customers, support cases, licensing data
Thomson ReutersLegal/Financial InfoInvestigatingCustomer accounts, subscription data, usage patterns
VerizonTelecommunicationsClaims “unsubstantiated”Potentially enterprise customer data

Victim response statements:

CrowdStrike categorical denial: CrowdStrike’s spokesperson Kevin Benacci told TechCrunch in a statement that the company is “not affected by the Gainsight issue and all customer data remains secure.”

However, CrowdStrike confirmed to TechCrunch that it terminated a “suspicious insider” for allegedly passing information to hackers.

This insider threat revelation suggests potential alternative access vectors beyond the Gainsight compromise, indicating sophisticated multi-pronged attack strategies.

Verizon disputed claims: Verizon spokesperson Kevin Israel said in a statement that “Verizon is aware of the unsubstantiated claim by the threat actor,” without providing evidence for this claim.

Malwarebytes active investigation: Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company’s security team is “aware” of the Gainsight and Salesforce issues and “actively investigating the matter.”

Thomson Reuters investigation underway: A spokesperson for Thomson Reuters said the company is “actively investigating.”

The 200+ Organization Impact

While only specific high-profile victims have been publicly named, Google is aware of more than 200 potentially affected Salesforce instances.

Likely victim profile characteristics:

Industry distribution:

  • Technology and software companies using Gainsight for product adoption tracking
  • Financial services institutions managing customer success programs
  • Healthcare organizations tracking patient engagement
  • Professional services firms monitoring client relationships
  • Manufacturing companies with customer support integration

Organization size:

  • Mid-market to enterprise organizations (typically 500+ employees)
  • Companies with sophisticated customer success operations
  • Organizations with complex Salesforce implementations
  • Businesses prioritizing customer retention and expansion revenue
  • SaaS companies tracking product engagement metrics

Geographic distribution:

  • Primarily North American organizations
  • European companies with Salesforce deployments
  • Global enterprises with regional customer success teams
  • Multi-national corporations with distributed operations

Quantifying Enterprise Impact

Direct breach consequences:

Data exposure categories:

  • Customer contact information and relationship data
  • Commercial contracts and pricing information
  • Support case histories and technical documentation
  • Product usage analytics and engagement metrics
  • Integration credentials for connected systems

Financial impact estimation:

Cost CategoryPer-Organization RangeContributing Factors
Incident Response$150,000 – $500,000Forensics, investigation, containment, remediation
Customer Notification$75,000 – $300,000Breach disclosure, call centers, communication campaigns
Legal and Regulatory$200,000 – $1,000,000+Counsel fees, regulatory response, potential investigations
Competitive Intelligence LossImmeasurableStolen sales strategies, customer targeting, competitive positioning
Reputation DamageLong-term revenue impactCustomer trust erosion, brand perception degradation
Security Enhancement$250,000 – $1,000,000+OAuth security, third-party risk management, monitoring upgrades

Aggregate industry impact:

With 200+ organizations affected:

  • Total incident response costs: $30M – $100M+
  • Regulatory investigation costs: $40M – $200M+
  • Long-term competitive disadvantage: Unquantifiable
  • Industry-wide security investment trigger: $50M – $200M

Threat Actor Profile: Scattered Lapsus$ Hunters and ShinyHunters Collective

Understanding the Adversary

The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of several cybercriminal gangs, including ShinyHunters, Scattered Spider, and Lapsus$, whose members use social engineering tactics to trick company employees into granting the hackers access to their systems or databases.

Constituent hacking groups:

ShinyHunters:

  • Financially-motivated cybercriminal organization
  • History of large-scale data breaches and database theft
  • Specialization in credential compromise and API exploitation
  • Previous victims include Microsoft, AT&T, numerous enterprises
  • Operates data leak sites for extortion and resale

Scattered Spider:

  • Sophisticated social engineering specialists
  • Expert phishing and vishing (voice phishing) capabilities
  • Known for targeting IT help desks and service providers
  • Previous high-profile attacks on MGM Resorts, Caesars Entertainment
  • Youth-oriented membership with advanced technical skills

Lapsus$:

  • Aggressive extortion-focused hacking collective
  • Public-facing operations with Telegram announcements
  • History of attacking technology companies and critical infrastructure
  • Previous victims include Okta, Microsoft, Nvidia, Samsung
  • Notable for brazen public disclosure tactics

Tactics, Techniques, and Procedures

Attack methodology patterns:

Initial access techniques:

  • GitHub repository compromise for credential harvesting
  • Social engineering targeting IT support personnel
  • Phishing campaigns against administrative users
  • SIM swapping to bypass multi-factor authentication
  • Insider recruitment and information purchase

Persistence mechanisms:

  • OAuth token theft and refresh token collection
  • Backdoor account creation in compromised systems
  • Credential harvesting for long-term access
  • Supply chain position establishment
  • Multiple access vector maintenance

Privilege escalation:

  • Exploiting misconfigured OAuth scopes
  • Leveraging stolen administrative credentials
  • Abusing trust relationships between vendors
  • API key compromise enabling elevated access
  • Service account takeover

Data exfiltration:

  • Bulk API calls appearing as legitimate application traffic
  • Gradual data extraction avoiding detection thresholds
  • Compression and staging before external transfer
  • Use of legitimate cloud storage for data staging
  • Encryption of stolen data to avoid DLP detection

Extortion operations:

This is the group’s modus operandi; in October, the hackers also published a similar extortion website after stealing victims’ Salesforce data in the Salesloft incident.

Double extortion tactics:

  • Public leak site establishment threatening data disclosure
  • Private ransom demands to individual victims
  • Staged data releases increasing pressure
  • Selling stolen data on criminal marketplaces
  • Reputational damage through public attribution

Historical Victim Pattern

In the last few years, these groups have claimed several high-profile victims, such as MGM Resorts, Coinbase, DoorDash, and more.

Notable previous campaigns:

  • MGM Resorts ransomware attack (September 2023): $100M+ losses
  • Coinbase employee credential theft (2023): Stolen personnel information
  • DoorDash customer data breach (2022): Compromised via Twilio
  • Okta authentication service breach (2022): Customer impact
  • Nvidia proprietary data theft (2022): Source code and credentials

Evolution of attack sophistication:

The progression from individual company compromises to systematic supply chain attacks demonstrates advancing capabilities:

  • 2022-2023: Direct target attacks via social engineering
  • 2024: Supply chain reconnaissance and vendor identification
  • 2025: Multi-stage supply chain campaigns with cascading impact
  • Future trajectory: Increased automation and systematic exploitation

Vendor Response and Security Posture

Salesforce Official Position

On Thursday, Salesforce said there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” effectively distancing itself from its customers’ data breaches.

Salesforce security controls implemented:

“Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues,” according to Gainsight’s incident page, which said Salesforce is notifying affected customers whose data was stolen.

Critical assessment of platform responsibility:

While technically accurate that the Salesforce platform itself wasn’t compromised, this statement overlooks systemic issues:

  • OAuth architecture allowing broad third-party access by design
  • Insufficient monitoring of abnormal API usage patterns
  • Lack of behavioral analytics detecting bulk data extraction
  • Limited customer visibility into third-party app activities
  • Inadequate tools for customers to audit connected app permissions

Gainsight Incident Response

Gainsight has been publishing updates about the incident on its incident page. On Friday, the company said that it is now working with Google’s incident response unit Mandiant to help investigate the breach.

Gainsight’s stated position:

The incident in question “originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform,” and that “a forensic analysis is continuing as part of a comprehensive and independent review.”

Timeline of Gainsight response:

  • Initial compromise: September-October 2025 (estimated)
  • Public disclosure trigger: Salesforce advisory November 20, 2025
  • Mandiant engagement: November 22, 2025
  • Ongoing forensic investigation and customer notification

Vendor accountability questions:

Critical gaps in Gainsight’s security posture:

  • Failure to detect compromise despite being Salesloft victim
  • Insufficient segmentation of customer OAuth tokens
  • Inadequate monitoring of authentication token usage
  • Delayed detection enabling months of attacker access
  • Limited transparency on root cause and timeline

Strategic Security Recommendations

Priority 1: OAuth Token Security Hardening

Implementing least-privilege OAuth scopes:

Organizations must audit and restrict third-party application permissions:

yaml

OAuth_Security_Framework:
  Token_Management:
    - Implement short-lived access tokens (15 minutes maximum)
    - Enforce aggressive refresh token rotation (30 days max)
    - Deploy certificate-based authentication where supported
    - Enable IP allowlisting for OAuth applications
    - Implement geographic restrictions on API access
    
  Scope_Restrictions:
    - Grant minimum necessary permissions only
    - Prohibit bulk export capabilities unless justified
    - Restrict access to sensitive data fields
    - Implement row-level security policies
    - Enable data masking for third-party applications
    
  Monitoring_Controls:
    - Real-time anomaly detection on OAuth usage
    - Behavioral analytics identifying unusual patterns
    - Automated alerting for bulk data access
    - Geographic impossibility detection
    - Rate limiting and throttling enforcement

Priority 2: Comprehensive Third-Party Risk Management

Vendor security assessment framework:

Pre-contract evaluation:

  • SOC 2 Type II audit verification (current within 12 months)
  • Penetration testing results review (annual minimum)
  • Incident response plan documentation and testing evidence
  • Data encryption standards (at-rest and in-transit)
  • OAuth implementation security architecture review
  • Breach notification SLAs and contractual commitments
  • Cyber insurance coverage verification

Continuous vendor monitoring:

python

def vendor_risk_monitoring(vendor_id):
    """
    Automated vendor security posture tracking
    """
    risk_indicators = {
        'breach_history': check_public_breach_databases(vendor_id),
        'security_ratings': query_security_scorecard_apis(vendor_id),
        'certificate_status': verify_security_certifications(vendor_id),
        'dark_web_exposure': scan_credential_leak_sites(vendor_id),
        'news_monitoring': search_security_incident_news(vendor_id),
        'github_leaks': scan_public_repositories(vendor_id),
        'api_security': assess_exposed_endpoints(vendor_id)
    }
    
    risk_score = calculate_composite_risk(risk_indicators)
    
    if risk_score > CRITICAL_THRESHOLD:
        trigger_vendor_review(vendor_id, risk_indicators)
        notify_security_leadership(vendor_id, risk_score)
        consider_access_revocation(vendor_id)
    
    return update_vendor_risk_registry(vendor_id, risk_score, risk_indicators)

Contractual protections:

  • Right-to-audit clauses enabling customer security assessments
  • Breach notification within 24 hours of discovery
  • Liability provisions for vendor-caused security incidents
  • Indemnification for third-party claims resulting from breach
  • Insurance requirements with adequate coverage limits
  • Termination rights for security control failures

Priority 3: Defense-in-Depth Security Architecture

Layered security controls:

Network-level protections:

  • API gateway implementing request validation and filtering
  • DLP (Data Loss Prevention) scanning API responses
  • Geographic access restrictions
  • TLS inspection for encrypted traffic analysis
  • WAF (Web Application Firewall) for API protection

Application-level controls:

  • Field-level encryption for sensitive data
  • Tokenization of personal information
  • Data masking for non-production environments
  • Query result size limitations
  • Export functionality restrictions

Data-level protections:

  • Column-level access control
  • Row-level security policies
  • Audit logging of all data access
  • Retention policies limiting historical data exposure
  • Regular access reviews and certification

Priority 4: Incident Detection and Response

Enhanced monitoring for supply chain attacks:

Behavioral analytics detecting OAuth abuse:

sql

-- Example detection query for abnormal OAuth activity
SELECT 
    ConnectedAppId,
    AppName,
    COUNT(*) as api_calls,
    SUM(RowsReturned) as total_records,
    COUNT(DISTINCT SourceIp) as unique_ips,
    COUNT(DISTINCT UserId) as unique_users
FROM ApiUsageLogs
WHERE 
    EventDate >= CURRENT_DATE - 1
    AND ConnectedAppType = 'OAuth'
GROUP BY ConnectedAppId, AppName
HAVING 
    api_calls > (
        SELECT AVG(daily_calls) * 3 
        FROM AppBaselineMetrics 
        WHERE app_id = ConnectedAppId
    )
    OR total_records > 100000
    OR unique_ips > 10
ORDER BY total_records DESC;

Automated incident response:

  • Immediate token revocation upon anomaly detection
  • Automated containment playbooks
  • Customer notification workflows
  • Forensic data preservation
  • Regulatory disclosure preparation

Conclusion: Securing the Supply Chain in the Cloud Era

The Gainsight supply chain attack compromising 200+ Salesforce customer instances represents a watershed moment in enterprise security, demonstrating how sophisticated threat actors systematically exploit third-party integration trust to achieve massive data theft at scale. The Scattered Lapsus$ Hunters collective’s multi-stage campaign—progressing from Salesloft to Gainsight to hundreds of downstream victims—illustrates the cascading risk inherent in modern cloud ecosystems.

Critical imperatives for enterprise security:

Audit all OAuth-connected applications immediately reviewing permissions and access patterns

Implement least-privilege OAuth scopes granting minimum necessary data access

Deploy behavioral analytics detecting abnormal third-party application usage

Enhance vendor security assessment comprehensive evaluation before integration authorization

Establish continuous monitoring real-time tracking of vendor security posture

Prepare incident response specific playbooks for supply chain compromise scenarios

Review contractual protections ensuring liability coverage and breach notification SLAs

Consider defense-in-depth architecture layered security beyond perimeter trust

Organizations can no longer treat third-party integrations as trusted extensions of internal systems. The Gainsight breach demonstrates that vendor compromises instantly expose entire customer bases to sophisticated threat actors wielding legitimate authentication credentials and authorized API access.

The future of enterprise security requires assuming vendor compromise as inevitable, implementing zero-trust architectures that limit blast radius, and deploying continuous monitoring capable of detecting abuse of legitimate credentials. Only through systematic third-party risk management and defense-in-depth security controls can organizations protect against the supply chain attacks that define modern enterprise threats.