Hundreds of Salesforce customers hit by yet another third-party vendor breach | CyberScoop<\/title> <meta name=\"description\" content=\"The widespread compromise is strikingly similar to a previous attack that originated at Salesloft Drift.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Hundreds of Salesforce customers hit by yet another third-party vendor breach\"> <meta property=\"og:description\" content=\"The widespread compromise is strikingly similar to a previous attack that originated at Salesloft Drift.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-11-20T23:14:17+00:00\"> <meta property=\"article:modified_time\" content=\"2025-11-20T23:14:20+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"688\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1763493151g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1763502595g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1763439630g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86904\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86904\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalesforce-gainsight-customers-breach%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalesforce-gainsight-customers-breach%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86904 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.578732106339\">\n<div class=\"single-article__header-content\" readability=\"34.372340425532\">\n<p> The widespread compromise is strikingly similar to a previous attack that originated at Salesloft Drift. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86904\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"430\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach.jpg?resize=640%2C430&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Salesforce Tower in San Francisco on June 28, 2019. (Jessica Christian\/San Francisco Chronicle via Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=300,202 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=768,516 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=600,403 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=250,168 250w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=502,337 502w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-2.jpg?resize=1005,675 1005w\" sizes=\"(max-width: 1005px) 100vw, 1005px\"><figcaption> Salesforce Tower in San Francisco on June 28, 2019. (Jessica Christian\/San Francisco Chronicle via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.519367870722\"><body readability=\"76.104601391118\"><\/p>\n<p>Salesforce said yet another breach involving a third-party vendor has compromised customers\u2019 data, warning in a <a href=\"https:\/\/status.salesforce.com\/generalmessages\/20000233\">security advisory<\/a> late Wednesday that it detected unusual activity in Gainsight applications connected to Salesforce customer environments.<\/p>\n<p>\u201cGoogle Threat Intelligence Group is aware of more than 200 potentially affected Salesforce instances,\u201d Austin Larsen, principal analyst at GTIG, told CyberScoop. <\/p>\n<p>The breach shares strong similarities to an <a href=\"https:\/\/cyberscoop.com\/salesloft-drift-compromise-scope-expands\/\">expansive downstream attack spree<\/a> that impacted more than 700 customers who integrated Salesloft Drift into Salesforce less than two months ago.<\/p>\n<p>The attacks targeting Gainsight, which bills itself as \u201ccustomer success\u201d software, and Salesloft Drift customer integrations with Salesforce are also linked to the same threat group or associated cybercriminals. \u201cWe assess this is likely the same threat cluster \u2014 ShinyHunters or UNC6240 \u2014 related to other recent campaigns targeting Salesforce instances, such as UNC6040,\u201d Larsen said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Salesforce responded to both attacks by revoking access to tokens that allowed customers to connect the third-party services to their Salesforce environments.<\/p>\n<p>\u201cOur investigation indicates this activity may have enabled unauthorized access to certain customers\u2019 Salesforce data through the app\u2019s connection,\u201d Salesforce said in the advisory. \u201cThere is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app\u2019s external connection to Salesforce.\u201d<\/p>\n<p>The company did not say when or how it became aware of the unauthorized activity in customer environments. A Salesforce spokesperson did not provide additional details and said it will update its security page with more information and customer guidance as appropriate.<\/p>\n<p>Organizations impacted by the attack originating in Gainsight\u2019s Salesforce connector are unknown, but the platform has about 1,000 customers, including many well-known enterprises and technology firms.<\/p>\n<p>Gainsight issued its first public alert about Salesforce connections failures on its <a href=\"https:\/\/status.gainsight.com\/\">status page<\/a> late Wednesday. \u201cWe continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications,\u201d the company said in an update Thursday.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The company said the Gainsight app has also been \u201ctemporarily pulled\u201d from the Hubspot Marketplace, a move that may impact OAuth access for customer connections with that platform. \u201cNo suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only.\u201d<\/p>\n<p>While broader impact hasn\u2019t been confirmed, the potential scope beyond Salesforce suggests the breach might have compromised any service Gainsight customers connected to the platform. As Google security researchers responded to the Salesloft Drift attacks in August, they determined any user that integrated the AI chat agent platform to another service may have been compromised.<\/p>\n<p>In a twist of irony, Gainsight previously said it was also one of the Salesloft Drift customers <a href=\"https:\/\/www.gainsight.com\/security\/\">impacted in the previous attacks<\/a>.<\/p>\n<p>Gainsight, which said its internal investigation is ongoing, did not say how its customers\u2019 access tokens may have been compromised. Salesloft ultimately pinned the <a href=\"https:\/\/cyberscoop.com\/salesloft-drift-attack-root-cause-github-oauth\/\">root cause of the Drift supply-chain attacks<\/a> to a threat group that gained access to its GitHub account as far back as March, lurking in the Salesloft application environment undetected until it stole data from hundreds of organizations during a 10-day period in mid-August.<\/p>\n<p>Gainsight, which said its internal investigation is ongoing, did not respond to a request for comment.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7899786780384\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/11\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hundreds of Salesforce customers hit by yet another third-party vendor<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,440,5512,3729,3099,288],"tags":[286,86,444,5513,3731,3104,294],"class_list":["post-8146","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-data-breaches","category-gainsight","category-google-threat-intelligence-group","category-salesforce","category-threats","tag-cybercrime","tag-cybersecurity","tag-data-breaches","tag-gainsight","tag-google-threat-intelligence-group","tag-salesforce","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gainsight\/\" rel=\"category tag\">Gainsight<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/salesforce\/\" rel=\"category tag\">Salesforce<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8146"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8146\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8146,"date":"2025-11-20T17:14:17","date_gmt":"2025-11-20T23:14:17","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86904"},"modified":"2025-11-20T17:14:17","modified_gmt":"2025-11-20T23:14:17","slug":"hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/11\/20\/hundreds-of-salesforce-customers-hit-by-yet-another-third-party-vendor-breach\/","title":{"rendered":"Hundreds of Salesforce customers hit by yet another third-party vendor breach"},"content":{"rendered":"