The massive data breach that hit Salesloft in August 2025 has triggered a domino effect, spilling over to hit the customer success platform Gainsight. This latest development puts hundreds more organizations at risk of having their sensitive data stolen.
The trouble began when Salesforce spotted unusual activity coming from Gainsight applications connected to its system. Salesforce realized these apps offered a pathway for unauthorized access to customer data. Acting quickly, Salesforce revoked all active access and refresh tokens for Gainsight-published apps and removed them from the AppExchange.
Salesforce clarified that its own platform remains secure. The company stated the issue stems entirely from the external connections used by the Gainsight apps. They have already reached out to affected customers to warn them about the exposure.
According to reports from BleepingComputer, this isn’t a random attack. It is a direct continuation of the Salesloft Drift incident. A hacking group calling itself “Scattered Lapsus$ Hunters” is behind the campaign. One of the group’s members, known as ShinyHunters, revealed they breached Gainsight using security secrets they originally stole during the Salesloft hack.
Back in August, these hackers stole OAuth tokens used by Salesloft for its Drift AI integration. Those tokens acted like master keys, giving the criminals direct API access to Salesforce data. Using that access, they infiltrated around 760 Salesforce instances and stole a staggering 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.
Now, they have used that same loot to pry open Gainsight. Gainsight, a company that helps businesses manage customer relationships, confirmed the breach. They admitted that the attackers swiped business contact details, including names, email addresses, phone numbers, and location data. The hackers also accessed the contents of support cases. This incident highlights the danger of connected software ecosystems. Even if a company secures its own walls, a compromised partner can still provide hackers with a backdoor.
