Technical

Srinivasa Reddy Kandi: Hackers Steal Data from Over 200 Companies in Major Salesforce–Gainsight Supply Chain Breach

November, 25, 2025-04:42

Share: Facebook | Twitter | Whatsapp | Linkedin | Visits: 37447 | :2821

---

Hackers Steal Data from Over 200 Companies in Major Salesforce–Gainsight Supply Chain Breach:

Google has confirmed that hackers accessed Salesforce-hosted data belonging to more than 200 companies as part of a widespread supply chain attack involving customer experience platform Gainsight.

Salesforce disclosed on Thursday that “certain customers’ Salesforce data” had been compromised through third-party applications developed by Gainsight, though it did not identify the affected organizations. According to Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, more than 200 Salesforce instances were potentially impacted.

Shortly after the announcement, the hacking collective Scattered Lapsus$ Hunters — which includes the well-known ShinyHunters group — claimed responsibility via a Telegram channel viewed by TechCrunch. The group alleged that its campaign affected major companies including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

Google declined to comment on specific victims:
CrowdStrike denied being affected, adding that it fired a “suspicious insider” for allegedly sharing information with hackers.
Verizon said it was “aware” of the hackers’ claims but emphasized they remain unsubstantiated.
Malwarebytes and Thomson Reuters both confirmed that they are actively investigating the issue.
DocuSign stated that it found no evidence of data exposure but has proactively terminated all integrations with Gainsight.

Other companies named by the hackers have not yet responded to inquiries:
According to ShinyHunters, the breach originated from their earlier attack on users of Salesloft Drift, where stolen authentication tokens gave them access to customers’ linked Salesforce environments. Gainsight confirmed it was affected in that previous incident, which ultimately enabled hackers to infiltrate its systems as well.

A Salesforce spokesperson reiterated that the issue did not stem from vulnerabilities in the Salesforce platform itself. Gainsight has not publicly responded to TechCrunch’s requests for comment.

Gainsight has been publishing ongoing updates, stating that it is now working with Mandiant, Google’s incident response unit. The company says the breach originated through external application connections, not through Salesforce platform flaws. Salesforce has temporarily revoked all active access tokens for Gainsight-connected apps while continuing to notify impacted customers.

Meanwhile, Scattered Lapsus$ Hunters announced plans to launch an extortion website targeting victims of the attack — a tactic similar to its October campaign involving data stolen during the Salesloft incident.

Author: Kandi Srinivasa Reddy, Srinivasa Reddy Kandi, #KandiSrinivasaReddy, #SrinivasaReddyKandi