top of page
Search

Salesforce Investigates Potential Customer Data Exposure via Gainsight Apps

  • Nov 21, 2025
  • 2 min read

Key Findings


  • Salesforce has revoked all access tokens associated with Gainsight integrations and removed the affected apps from the AppExchange.

  • The incident may have enabled unauthorized access to certain Salesforce customers' data through the Gainsight app's connection.

  • Salesforce confirmed the issue is not due to any vulnerability in the Salesforce platform, but is related to the external connection to Salesforce.

  • Gainsight acknowledged disruptions to features that rely on synchronous or real-time API interactions with Salesforce.

  • The hacker group ShinyHunters has claimed responsibility for the breach, stating they plan to leak data from nearly 1,000 organizations affected.


Background


Salesforce, a leading customer relationship management (CRM) platform, has issued a security alert regarding unusual activity involving Gainsight-published applications connected to its platform. This incident may have exposed certain customers' Salesforce data.


Unauthorized Access to Customer Data


Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. The company's investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection.


Containment Measures


Upon detecting the suspicious activity, Salesforce has taken immediate action to revoke all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. The company has also temporarily removed those applications from the AppExchange while the investigation continues.


No Salesforce Platform Vulnerability


Salesforce has clarified that the issue does not stem from any vulnerability within the Salesforce core platform. The company stated that "the activity appears to be related to the app's external connection to Salesforce."


Ongoing Disruptions for Gainsight Customers


Gainsight has acknowledged significant service disruptions as their team investigates the connector failures. Access to Gainsight via Salesforce remains unavailable, and the company is working jointly with Salesforce to diagnose the root cause and safely restore operations.


Hacker Group Claims Responsibility


According to reports, the hacker group ShinyHunters has claimed responsibility for the breach, stating they plan to leak data from nearly 1,000 organizations affected by the incident, including both the Salesloft and Gainsight campaigns.


Sources


  • https://securityonline.info/salesforce-revokes-access-tokens-gainsight-app-breach-may-have-exposed-customer-data/

  • https://securityaffairs.com/184896/hacking/salesforce-alerts-users-to-potential-data-exposure-via-gainsight-oauth-apps.html

  • https://hackread.com/shinyhunters-breach-gainsight-salesforce-1000-firms/

  • https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/

  • https://www.investing.com/news/economy-news/salesforce-says-customer-data-possibly-exposed-following-incident-4371950

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page