Google confirms massive Gainsight OAuth attack against Salesforce customers

Hackers abused Gainsight apps to pull data from Salesforce environments at more than 200 companies, Google says. Salesforce and Gainsight revoked OAuth access, removed affected apps from AppExchange, and brought in Mandiant alongside Google’s threat teams. The group claiming responsibility, tied to ShinyHunters and the broader Scattered Lapsus$ Hunters cluster, is already threatening extortion and public leaks.

• Google is tracking more than 200 potentially affected Salesforce instances linked to Gainsight app abuse.
• Salesforce revoked Gainsight OAuth tokens and pulled the apps while the investigation continues with Mandiant and Google.
• ShinyHunters and Scattered Lapsus$ Hunters claim the campaign and are pushing extortion threats.
• Early signs point to mostly business data, yet the true impact could widen as forensics progress.

What happened in the Gainsight and Salesforce breach

Google confirmed what security teams suspected. Threat actors leveraged OAuth tokens from Gainsight apps to query connected Salesforce orgs. In plain terms, the attackers did not need to break Salesforce itself. They rode existing, trusted connections to extract data.

Google’s Austin Larsen, a principal threat analyst with the company’s Threat Intelligence Group, said Google “is aware of more than 200 potentially affected Salesforce instances.” That aligns with Salesforce’s advisory noting access came through Gainsight-connected apps rather than a core Salesforce flaw. You can read TechCrunch’s coverage here Google says hackers stole data from 200 companies following Gainsight breach and a summary on Slashdot here Google says hackers stole data from over 200 companies following Gainsight breach.

TechCrunch senior security reporter Lorenzo Franceschi-Bicchierai corroborated both the scale and the mechanics, linking the intrusions to permissions Gainsight apps held in customer Salesforce orgs and to a persistent, fast-moving threat cluster.

How did attackers abuse OAuth tokens

On November 19, Salesforce flagged unusual activity involving Gainsight-published apps. AppOmni’s analysis points to compromised OAuth tokens that let those apps talk to Salesforce. With token access in hand, the attackers could pivot into connected orgs and query data, often without tripping traditional login controls.

Salesforce revoked all active access and refresh tokens for Gainsight apps and temporarily removed those apps from AppExchange. Gainsight says it disabled affected integrations, engaged Mandiant, and is coordinating with Salesforce on forensics and customer notifications. AppOmni’s CTO Jeff Grossman summed it up. OAuth supply chain attacks across tightly coupled SaaS platforms are now a recurring enterprise risk.

Who is claiming responsibility

The crew calling itself Scattered Lapsus$ Hunters, which includes ShinyHunters, claimed the campaign in Telegram channels referenced by TechCrunch. The same cluster allegedly hit Salesloft’s Drift platform and then pivoted into Salesforce environments, a pattern we covered in our earlier analysis The 2025 Salesloft Drift hack was a wake-up call. The strategy is familiar. Do not hammer the fortress. Find a trusted vendor key and stroll in.

Which companies were hit and what data was taken

Neither Google nor Salesforce has published a list of impacted organizations. Google confirmed more than 200 affected Salesforce instances but did not name names. Reporting notes that Scattered Lapsus$ Hunters posted a long list of brands, though many are still investigating.

Gainsight’s incident page narrows confirmed impact on its side to its Gainsight CS product and says it contacted three organizations where it can verify access. As a precaution, it paused some integrations. Salesforce is notifying customers whose Salesforce data was accessed through the compromised apps.

Early statements from Google suggest the initial troves involved business information that might already be public or low sensitivity, while warning this could escalate to more sensitive data and extortion. For broader context, see this advisory highlighted by Moneywise and NewsDirect Google sounds alarm after 2.5B users exposed. Gainsight says it has not confirmed exposure of personal customer data or financial information in its own environment, but the investigation continues.

How serious is the fallout

Scattered Lapsus$ Hunters are telegraphing the next move. They are threatening a new leak site dedicated to data from the Gainsight and Salesloft campaigns unless victims pay up. That matches prior ShinyHunters playbooks. Even if the data looks like routine business records, exposure of pipeline details, customer lists, internal strategies, or partner information can be damaging. Think competitive intelligence handed to rivals, with a side of brand risk and regulatory exposure if personal data later surfaces.

Why this matters beyond Salesforce

Security teams still spend most of their energy on core platforms and networks. Attackers keep going after the connective tissue. OAuth tokens, trusted third-party apps, and under-governed integrations are the weak links. That is why Google, AppOmni, Mandiant, and others keep sounding the same alarm.

Salesforce and Gainsight are urging customers to audit app permissions, remove unused connectors, rotate tokens, reset secrets, and enforce strong authentication for all integration accounts. If you want better visibility across vendors, you can centralize telemetry and alerting. One option is Databox, which helps teams bring logs and API signals from multiple SaaS tools into a single dashboard to spot unusual access early.

If you are tracking broader trends, this incident fits a year where attackers, often with automation and AI in the mix, chain cloud services for speed and scale. Our deep dives on AI cyberattacks in 2025 and the high impact F5 incident in the UK show the same multi-vendor pattern.

What should affected companies and users do now

Move quickly and treat this as a third-party OAuth compromise that could expand. Here is a focused checklist you can hand to your incident response lead.

1. Confirm exposure with your Salesforce account team and case portal. Check for notifications from Salesforce, Gainsight, and Mandiant.
2. Revoke and rotate all OAuth tokens for Gainsight apps and any third-party connected apps you do not fully need. Remove unused integrations.
3. Reset and reissue integration user passwords, API keys, and client secrets. Enforce multi factor authentication and high assurance sessions for integration and admin accounts.
4. Audit permissions for connected apps. Apply least privilege scopes and restrict IP ranges and login hours where possible.
5. Review logs in Salesforce Event Monitoring, Login History, and Connected Apps OAuth usage. Export suspicious activity for preservation and analysis.
6. Hunt for data exfiltration patterns across your SIEM, CASB, and SaaS logs. Look for large SOQL queries, bulk exports, or anomalous API calls.
7. Rotate secrets across your CI and automation pipelines that interact with Salesforce. Update stored credentials in vaults.
8. Prepare for extortion. Draft legal and communications plans, preserve evidence, and coordinate with law enforcement if needed.
9. Notify affected customers and partners if your investigation confirms exposure. Be specific about types of data and steps taken.
10. Stand up continuous monitoring for connected apps. Baseline normal OAuth usage and alert on unusual access.

For individual users, enable multi factor authentication everywhere, avoid token reuse across tools, and be cautious with unexpected prompts or consent screens.

FAQs