ShinyHunters Claims Gainsight Breach, Threatens Salesforce Extortion Over Customer Data
The investigation into the corporate data breach affecting Salesforce customers continues to widen. The company is now examining how third-party Gainsight applications became the channel through which unauthorized parties gained access to client information. Gainsight is used to manage customer databases, and its modules connect directly to Salesforce infrastructure — meaning any compromise in one component can reverberate across the entire system.
In its public advisory, Salesforce emphasizes that the potential exposure is tied specifically to customer-installed Gainsight integrations. No signs of vulnerabilities have been found within the Salesforce platform itself. According to the current assessment, the issue originates in Gainsight’s external connectors, through which the service accesses operational data.
Gainsight, for its part, cites “connection issues with Salesforce,” without mentioning any potential leak. Company representatives have not responded to media inquiries. Salesforce continues directing customers to a dedicated updates page, offering no separate commentary.
The incident has drawn the attention of major companies that rely on Gainsight in their workflows, including Airtable, Notion, GitLab, and other prominent services. A GitLab spokesperson confirmed that its security team is assessing possible impacts and checking the infrastructure for any unauthorized alterations.
Amid the turmoil, the ShinyHunters group — known for numerous extortion-driven attacks — has once again surfaced. Members told DataBreaches that they were responsible for breaching Gainsight integrations. According to their claims, they possess datasets from roughly a thousand organizations. The attackers threatened to publish the information on a dedicated leak site unless Salesforce begins negotiations.
The unfolding situation mirrors the August incident, when a vulnerability in Salesloft allowed attackers to infiltrate connected Salesforce instances across many customers. Access tokens and other sensitive data were stolen. Victims included Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, Workday, and several others.
Those attacks were attributed to the Scattered Lapsus Hunters collective, which includes members of ShinyHunters. Just a month ago, the group launched its own extortion platform, threatening to release a billion records. Gainsight later acknowledged that its services were indeed implicated in the Salesloft-related intrusions, though it remains unclear whether the current breach is tied to that earlier episode.
Investigations remain underway, and companies relying on Gainsight and Salesforce are scrutinizing their systems for hidden traces of unauthorized access. Complete clarity on the mechanism of compromise is still lacking: experts are considering both the possibility that previously stolen information was reused and that an entirely new intrusion vector has emerged.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
