Salesforce said on Wednesday that it’s investigating a breach of “certain customers’ Salesforce data” that was compromised through apps published by Gainsight, a company that sells a platform for other companies to manage their customers.
In a notice published late Wednesday, Salesforce said the hacks involve “Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.”
Salesforce said that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” and that the activity appears related to Gainsight’s “external connection to Salesforce.”
When reached for comment, Salesforce spokesperson Nicole Aranda referred News to the company’s page dedicated to the incident.
Contact Us
Do you have more information about these Salesforce and Gainsight data breaches? Or other data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact News via SecureDrop.
As of this writing, Gainsight said in a status page that it is investigating a “Salesforce connection issue,” without making any reference to a potential breach. “Our internal investigation is ongoing,” Gainsight wrote.
A spokesperson for Gainsight did not immediately respond to News’s request for comment.
On its website, Gainsight touts several corporate customers, including Airtable, Notion, GitLab, and others. When reached by email, GitLab spokesperson Emily James told News that the Gitlab’s “security team is investigating and we’ll get back to you when we have more to share.”
Techcrunch event
San Francisco
|
October 13-15, 2026
The prolific hacking group ShinyHunters told cybersecurity news website DataBreaches.net that it was behind the breach, adding that if Salesforce doesn’t negotiate with them, they will create a new website to advertise the stolen data — a common extortion tactic by financially-motivated cybercriminals.
“The next [data leak site] will contain the data of the Salesloft and GainSight campaigns,” the hackers told DataBreaches.net. The hackers claim to have stolen data from close to a thousand companies.
This data breach appears similar to an August breach at AI marketing chatbot maker Salesloft, which allowed the hackers to break into a number of their customers’ connected Salesforce instances to steal sensitive data, such as access tokens for other services. Among the victims included insurance giant Allianz Life, Bugcrowd, Cloudflare, Google, fashion conglomerate Kering, Proofpoint, the airline Qantas, carmaker Stellantis, credit bureau TransUnion, the employee management platform Workday, and others.
In the case of the Salesloft breaches, the hacking group Scattered Lapsus$ Hunters, which apparently includes the ShinyHunters gang, claimed responsibility.
Last month, the hackers launched a dedicated website to extort the victims of the breaches, where they threatened to release a billion records.
At the time, Gainsight confirmed it was among the victims of the Salesloft-linked breaches, but it’s unclear if this new wave of hacks originated from its earlier compromise.
