Gainsight has been implicated in a widespread security breach, impacting more than 200 Salesforce instances according to the Google Threat Intelligence Group. The breach is connected to an OAuth token theft during the August 2025 Salesloft incident.
Salesloft Breach Details
In August 2025, an attack on Salesloft enabled hackers, the 'Scattered Lapsus$ Hunters,' to steal OAuth tokens. These tokens facilitated unauthorized access to Salesforce data via Drift AI chat integrations used by customers.
- OAuth tokens stolen during August 2025 Salesloft breach.
- Attackers accessed Salesforce data through Drift AI integrations.
- Company files, including Gainsight data, were compromised.
Affected Companies
Google Threat Intelligence Group mentions several prominent companies among the victims: Atlassian, CrowdStrike, LinkedIn, Docusign, F5, GitLab, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Despite this, a TechCrunch inquiry found no confirmations of breaches from these entities, though some are actively investigating the incident.
- Potential victims include LinkedIn, Verizon, GitLab, and others.
- Companies contacted by TechCrunch deny confirmed breaches.
- Some organizations are still assessing impacts.
Salesforce Response
Salesforce has clarified that the flaw was not due to weaknesses in its system. The unauthorized access did not exploit any inherent vulnerabilities within the Salesforce platform itself.
The ramifications of this incident are still unfolding as investigations continue, with affected firms working to secure their systems.
