In one of the most significant cybersecurity incidents of 2025, Google has confirmed that hackers successfully breached over 200 companies by exploiting vulnerabilities in Gainsight, a popular customer success platform integrated with Salesforce.
The breach, attributed to the notorious hacking collective known as Scattered Lapsus$ Hunters (which includes ShinyHunters), represents a sophisticated supply chain attack that has exposed sensitive customer data from Fortune 500 companies including Verizon, GitLab, F5, SonicWall, and many others.
What Happened: The Attack Timeline
According to Salesforce’s indicators of compromise (IOCs), the attack unfolded in stages:
November 8, 2025: First unauthorized access was detected via an AT&T IP address, believed to be reconnaissance activity
November 16-23, 2025: Approximately 20 suspicious intrusions were identified using various tools including Tor and commercial VPN services like Mullvad and Surfshark
November 20-21, 2025: Salesforce publicly disclosed the breach and revoked access to Gainsight applications
How the Attack Worked: OAuth Token Exploitation
The attack exploited a fundamental weakness in SaaS ecosystem trust. Here’s how it worked:
The hackers first compromised Salesloft Drift, an AI and chatbot-driven marketing platform. During this initial attack, they stole OAuth authentication tokens from Drift customers.
These stolen tokens allowed hackers to access connected Salesforce instances through Gainsight’s SFDC Connector app. Since Gainsight was a trusted third-party integration, its OAuth tokens provided established, trusted connections that could bypass certain access controls.
Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, confirmed: “We are aware of more than 200 potentially affected Salesforce instances.”
Major Companies Affected
The Scattered Lapsus$ Hunters group claimed responsibility for hacks affecting multiple high-profile companies:
Verizon – Telecommunications giant
GitLab – DevOps platform
F5 Networks – Network security
SonicWall – Cybersecurity company
Atlassian – Enterprise software
CrowdStrike – Endpoint security
DocuSign – Digital signatures
LinkedIn – Professional networking
Malwarebytes – Anti-malware
Thomson Reuters – Media and information
The hackers have also threatened to leak data from nearly 1,000 companies, including Fortune 500 firms, via a dedicated leak site. They’ve hinted at launching a ransomware-as-a-service (RaaS) platform, escalating risks of further extortion.
What Data Was Exposed?
According to Gainsight’s confirmation, the compromised data includes:
Business contact details (names, business email addresses, phone numbers)
Regional and location information
Licensing information
Support case contents and Salesforce case text
CRM-layer data and customer relationship information
While the breach primarily involved business contact information rather than highly sensitive personal data, the exposure of corporate and customer relationship data poses severe reputational, compliance, and downstream fraud risks.
How to Protect Your Organization
Security experts recommend the following steps to protect against similar supply chain attacks:
Audit Third-Party App Permissions: Review all SaaS integrations and revoke unnecessary permissions
Monitor OAuth Token Usage: Implement continuous monitoring for anomalous OAuth token activity
Enforce Least-Privilege Access: Limit third-party applications to only the data they absolutely need
Rotate Credentials Regularly: Revoke and reissue OAuth tokens periodically
Conduct Third-Party Risk Assessments: Evaluate the security posture of integrated vendors
Prepare Incident Response Plans: Have a ready plan specifically for supply chain attacks
Key Takeaways
This Gainsight breach represents a wake-up call for organizations relying on SaaS integrations:
Supply chain attacks are increasingly sophisticated and target trusted third-party integrations
OAuth tokens can become attack vectors if not properly managed and monitored
Over-permissioned apps create unnecessary risk exposure
Even companies with strong security can be compromised through their vendors
Gainsight has engaged Mandiant for forensic investigation and proactively disabled connections with HubSpot and Zendesk as a precautionary measure. The investigation is ongoing, and affected organizations should take immediate steps to assess their exposure.