What You Need To Know About Gainsight Breach

Salesforce warned customers about a new incident involving the Gainsight app after detecting unusual activity in connected environments. Google’s threat team says more than 200 Salesforce instances may be affected. The case bears similarities to the recent Salesloft Drift breach, which affected hundreds of customers.

What happened in the Gainsight breach?

The incident likely began when attackers discovered a method to utilize access tokens linked to Gainsight’s tools within Salesforce environments. These tokens may allow the Gainsight app to read and update information for its customers. When the attackers gained access to them, they could infiltrate many Salesforce organizations without compromising the main platform.

Salesforce later explained that the core system stayed safe. The attackers did not exploit a flaw in Salesforce itself. They moved through the connection that customers had already approved for the Gainsight app. This connection gave the attackers a clear path into each affected environment.

Because many companies use Gainsight with Salesforce, the impact spread fast. Early reports indicated that more than 200 customers may have been affected. Some fear the number might climb higher as investigations continue.

Lastly, the group known as Scattered LAPSUS$ Hunters (SLH) claimed the attack.

How did attackers enter the Gainsight ecosystem?

The attackers did not target Salesforce directly. They focused on the path between Gainsight and Salesforce. This path uses tokens that let the Gainsight app talk to customer Salesforce orgs. When the attackers captured these tokens, they could act as if they were the Gainsight app itself.

These tokens work without user input. They allow automated tasks, scheduled syncs, and data updates. Because of this, companies often do not watch them closely. This gave the attackers a quiet entry point. They could run API calls, read records, and move through customer data without raising clear alarms.

At this stage, it is not confirmed that attackers captured Gainsight tokens directly. It is the most likely explanation based on Salesforce’s advisory, security analysts’ comments, and the pattern of activity.

Thus, in a chat with TechCrunch, the ShinyHunters (a part of the SLH) group stated that they gained access to Gainsight through an earlier attack on Salesloft customers. They stole Drift authentication tokens from those customers and used them to reach linked Salesforce systems and pull data. A spokesperson stated that Gainsight utilized Salesloft and Drift and was fully impacted. Gainsight confirmed it was a victim of the campaign but did not provide further details.

The group behind the breach also understands cloud apps very well. Furthermore, their messages on their Telegram channel indicate they are aware of how to exploit access, insiders, and identity gaps to infiltrate networks. They even advertise for employees with access to systems like Okta and Active Directory, which shows how much they rely on token-based movement and identity abuse.

Once they had working tokens, the attackers no longer needed to break anything else. They used the same permissions that Gainsight uses. This turned a single breach at one vendor into wide access across many customer environments.

Who carried out the Gainsight breach?

Currently, the Gainsight breach is linked to a threat group known as Scattered LAPSUS$ Hunters. The group mixes members and methods from ShinyHunters, Scattered Spider, and LAPSUS$. They act quickly, utilize strong social skills, and focus on cloud identity paths rather than traditional malware. They also enjoy public attention. They use group chats, memes, and voice messages to show confidence and mock their targets.

Their Telegram channel supports this link. Many posts in the leaked chat indicate that they follow Gainsight and Salesforce events in real-time. They laugh at the companies involved, solicit insiders from major firms, and offer money for access to their networks. One post even doubles the reward for an insider at CrowdStrike.

In past attacks, the group targeted SaaS apps, identity providers, and remote access systems. They seem to understand how cloud ecosystems depend on tokens and connected apps. This knowledge makes them dangerous because they can jump from one vendor to many customers with one stolen identity key.

In short, SLH carried out the breach. Their chat activity, their past attacks, and their public behavior all point to the same method. They go after identity, trust, and connection paths.

What did the attackers access or steal?

The full scope is still under review, but according to past patterns, the trend is clear. The attackers used stolen tokens from the Gainsight-connected app to access data inside customer Salesforce orgs. These tokens enable the app to read and sync records, allowing attackers to gain control of them and copy any information the app can view.

This may include customer details, activity data, and other objects that companies store in Salesforce through Gainsight. The Gainsight FAQ confirms that the attackers used valid tokens and made API calls from unexpected locations. This means the attackers did not brute force accounts. They simply utilized permissions that already existed within each affected organization.

Because many companies use Gainsight, the impact spreads quickly. Google reports that more than 200 Salesforce orgs have been touched. Others think the number might rise as audits continue. Since the attack occurred through a trusted integration, each company must now verify what the app can access within its own environment.

The group claims to have targeted more than 300 organizations. The group was also behind earlier Salesforce-related attacks that employed identity theft and voice phishing. Following the earlier breaches by the group, they allege that the total number of victims is now around 1,000. However, they also plan to list only the companies they consider important on their upcoming Data Leak Site (DLS).

What does the Telegram activity show?

The Telegram messages give a clear picture of how this group behaves. They joke about victims, tease release dates, and recruit insiders from many industries. They ask workers to prove access to tools like AD, Okta, or corporate VPNs. This indicates that identity access and insider help are at the center of their strategy, rather than relying solely on technical exploits. Their posts in the leaked chat support this pattern.

This approach aligns with recent news about an insider at CrowdStrike. The company confirmed that an employee shared screenshots of internal systems with the hackers. CrowdStrike stated that the insider was identified and removed, and no customer data was compromised. Hackers told reporters they offered the insider money and claimed they received SSO authentication cookies before he was blocked.

Therefore, their Telegram behavior and the CrowdStrike insider case point to one truth. Insider access and identity abuse are now core tools for this group. They mix leaked tokens, stolen identities, and paid insiders to move through companies fast and at scale.

Why do attackers focus on SaaS apps like Gainsight or Salesforce?

Attackers like SaaS apps because a single weak link provides access to multiple companies. Tools such as Gainsight connect to Salesforce with strong tokens and wide permissions. When attackers steal these tokens, they infiltrate customer systems without compromising the core platform.

SaaS apps also run many automated tasks. They use long-lived tokens and service accounts that companies might rarely review. This makes them easy to abuse.

The leaked chat shows that the group behind the breach prefers identity paths and insider access. They focus on cloud connectors, not on hard technical exploits. They know that trust links are often the weakest part of a company’s defense.

To counter, monitor your SaaS supply chain with the same care as your core systems. Track all connected apps, check their permissions, watch their API activity, and rotate their tokens. A single trusted integration can expose your entire environment, making supply chain visibility a key part of cyber defense.

What security steps should companies take now?

Security teams must act swiftly when a connected app incident spreads across a cloud ecosystem. The official Salesforce guidance lists several steps that help companies detect and contain activity linked to the Gainsight breach. Gainsight also released a detailed FAQ that explains how the attackers used valid tokens and how customers can check their own orgs for signs of misuse.

• Check recent API calls

Review all API activity from the Gainsight connected app. Look for calls from places or IP ranges that your company does not use. Salesforce advises checking for activity outside your normal geographic area and for calls made at unusual times.

• Review token use

The attackers used active refresh tokens. Revoke all tokens that Gainsight uses, then re-authorize the app with new ones. Gainsight recommends this reset to prevent attackers from using old tokens that still hold access.

• Inspect login history

Search for logins tied to the Gainsight app that do not match your expected pattern. Salesforce’s incident article explains which fields help spot suspicious events, such as unexpected IPs or new user agents.

• Control IP ranges

Gainsight suggests using an allow list for outgoing IP addresses from the app. If an attacker attempts to reuse a token from a different IP address, the request will fail. This reduces the chance of silent token abuse.

• Limit the app’s permissions

Check the scopes and profile rights that the connected app has inside your org. Remove any access that the app does not need. Least privilege helps reduce damage even if attackers steal a token again.

• Monitor changes to connected apps

Review recent edits to OAuth settings, app scopes, or session policies. Salesforce notes that attackers sometimes adjust these values to maintain access for a longer period.

• Audit user accounts linked to Gainsight tasks

If your team uses service accounts for Gainsight jobs, check their activity and reset their passwords. Gainsight stresses that customers should treat these accounts as sensitive because they often hold wide access.

• Look for indicators of compromise

Salesforce provided IoCs. These include suspicious IP addresses, unusual patterns of API usage, and specific event types associated with the incident. Add these to your SIEM or monitoring tools to detect repeats.

What indicators of compromise (IoC) should teams watch for?

Salesforce shared a detailed list of IOCs that help companies check if attackers have used the Gainsight connection within their organization. These IoCs point to reconnaissance, token abuse, and unauthorized API calls.

What does this breach teach us about the future?

The breach involving the Salesforce and Gainsight connection demonstrates how attackers are now moving through trusted links, not just the main platform. Stolen tokens, VPN traffic, and unusual user agents provided the threat actors with real access without compromising Salesforce itself. The incident proves that identity misuse and supply chain gaps create the biggest risks in cloud ecosystems. Companies must regularly check every connected app, review permissions, and rotate tokens to minimize silent access paths.

Better visibility across vendors has become a key part of defense. SOCRadar Supply Chain Intelligence helps organisations track risks within their third-party ecosystem and identify weak points before attackers exploit them. It checks vendors using multiple technical signals and maps exposure across a broad range of companies. With strong monitoring, careful token control, and supply chain insights, security teams can lower the impact of similar events in the future.

For more context on the threat actors, the breach, and related activity, you may read our other blog posts:

• Scattered LAPSUS Hunters Escalate With New Channel and Gainsight Breach
• Dark Web Profile: Scattered Lapsus$ Hunters
  
• Salesforce-Related Data Breach Affecting Multiple Companies
• Dark Web Profile: ShinyHunters
• Salesloft Drift Breach: Everything You Need to Know