Yasmin Barakat- Google says hackers stole Salesforce-stored data from more than 200 companies by abusing Gainsight apps in a large supply chain attack.
- Salesforce revoked Gainsight OAuth tokens, pulled the apps from AppExchange, and is working with Mandiant and Google to investigate.
- ShinyHunters and the wider Scattered Lapsus$ Hunters group claim responsibility and are threatening extortion and data-leak sites.
- Early findings point mostly to business data, but experts warn that the real impact could grow as investigations continue.
Google confirms a massive Gainsight and Salesforce data breach
Google has now confirmed what many security teams were worried about. Hackers managed to steal Salesforce-stored data from more than 200 companies by abusing apps published by customer-success platform Gainsight.
In a statement reported by TechCrunch, Austin Larsen, principal threat analyst with Google’s Threat Intelligence Group, said Google “is aware of more than 200 potentially affected Salesforce instances.” Google’s confirmation puts hard numbers behind Salesforce’s own advisory that “certain customers’ Salesforce data” was accessed through Gainsight-connected apps, not through a direct flaw in Salesforce itself.
You can read the full rundown of Google’s statement and the scale of the incident in TechCrunch’s coverage here: Google says hackers stole data from 200 companies following Gainsight breach and in the Slashdot summary here: Google says hackers stole data from over 200 companies following Gainsight breach.
TechCrunch senior security reporter Lorenzo Franceschi-Bicchierai independently corroborated the scale and mechanics of the attack, tying it directly to Gainsight’s external connection to Salesforce data and to an increasingly aggressive hacking crew.
How the Gainsight OAuth hack unfolded
On November 19, Salesforce spotted what it called “unusual activity” involving Gainsight-published applications that could enable unauthorized access to some customers’ Salesforce data. According to Salesforce’s advisory and detailed analysis from AppOmni, the problem centered on compromised OAuth tokens used by Gainsight apps to talk to Salesforce. Once those tokens were in the wrong hands, attackers could pivot into connected orgs and pull data without needing to break Salesforce itself.
Salesforce responded by revoking all active access and refresh tokens for Gainsight apps and temporarily removing those apps from the Salesforce AppExchange while investigations continue. AppOmni’s CTO Jeff Grossman summed up the risk bluntly in a recent advisory, noting that OAuth supply chain attacks against tightly connected SaaS platforms are becoming a serious and recurring issue for cloud-first enterprises.
Behind the scenes, Gainsight says it has disabled affected integrations, pulled in Google’s incident response arm Mandiant, and is working with Salesforce on forensics and customer notifications.
Who is behind the attack
Shortly after Salesforce went public, the hacking collective calling itself Scattered Lapsus$ Hunters, which includes the notorious ShinyHunters crew, claimed responsibility in Telegram channels referenced by TechCrunch. The same cluster of actors previously hit Salesloft’s Drift platform and then used stolen tokens there to raid Salesforce environments, a campaign we covered in detail in our earlier analysis of the Salesloft and Drift hack here: The 2025 Salesloft Drift hack was a wake-up call.
Google’s threat teams and outside specialists describe this as part of a long-running pattern rather than a one-off. Instead of going after the big cloud platforms directly, attackers look for trusted third-party apps that already enjoy high-privilege, always-on access.
Which companies were hit and what was affected
So far, Salesforce and Google have stopped short of publishing a list of victim organizations. Google confirmed “more than 200” affected Salesforce instances, but declined to name specific companies. TechCrunch reporting notes that Scattered Lapsus$ Hunters claimed attacks on a long list of major brands, though many of those firms are still investigating or disputing impact.
Gainsight’s own incident page narrows the confirmed blast radius on its side to its “Gainsight CS” product and says it has directly contacted three organizations where it can confirm data access. As a precaution, Gainsight has suspended some integrations and engaged Mandiant for a deeper forensic review. Salesforce is handling notifications to customers whose Salesforce data was definitely accessed through the compromised apps.
Early statements from Google’s Threat Intelligence Group echo earlier reporting around ShinyHunters. In a related advisory highlighted by Moneywise and NewsDirect, Google said initial data sets in this broader campaign were “basic and largely publicly available business information,” but also warned that the attackers might escalate to more sensitive records and extortion. You can find that broader context here: Google sounds alarm after 2.5B users exposed.
For now, Gainsight maintains that no personal customer data or financial information has been confirmed as compromised in its own environment, though investigations are still ongoing.
Extortion threats and likely fallout
Scattered Lapsus$ Hunters are not shy about their playbook. The group has already threatened to launch a new data-leak site dedicated to the Gainsight and Salesloft campaigns if victims do not negotiate. TechCrunch and other security outlets note that this mirrors previous ShinyHunters operations, where stolen corporate data was posted publicly to increase pressure.
That threat raises the stakes for any Salesforce customer that relied heavily on Gainsight apps for sales pipelines, customer success dashboards, or executive reporting. Even if the data is “only” business records, it can expose internal strategies, customer lists, or partner details that competitors or criminals can abuse.
Why this SaaS supply chain breach matters for everyone
Security experts at Google, AppOmni, Mandiant and other firms keep calling out the same pattern. Enterprise security programs still focus a lot on core platforms and internal networks, but attackers are systematically going after the weaker links between those platforms. OAuth tokens, third-party connectors and “shadow” integrations are proving to be some of the easiest ways in.
Salesforce, Gainsight and multiple advisory firms are now urging customers to review and revoke unnecessary app tokens, reset passwords and enable two-factor authentication across admin and integration accounts. For teams that want to get more proactive about this, tools that centralize monitoring across SaaS products can help. One example is Databox, which lets security and IT teams pull key incident metrics, log signals and API data from different cloud tools into unified dashboards. That makes it easier to spot unusual access across multiple vendors before it turns into another breach.
If you are tracking wider trends in cyberattacks this year, this incident also fits with the rise of more automated, AI-assisted operations that move quickly between cloud services. Our deep dives on AI cyberattacks in 2025 and on high impact breaches like the F5 incident in the UK show the same shift toward chained, multi-vendor compromises.
What affected companies and users should do right now
Google’s guidance in the ShinyHunters campaigns has been consistent. Step one is basic
