Google has confirmed that hackers stole Salesforce-stored data from more than 200 companies after compromising apps linked to customer-support firm Gainsight.
The incident marks one of the biggest supply-chain breaches in recent months. A well-known cybercriminal collective has claimed responsibility for the hack.
Salesforce disclosed on Thursday that “certain customers’ Salesforce data” had been accessed through apps published by Gainsight. While the company did not identify affected organisations, Google’s Threat Intelligence Group later confirmed that over 200 Salesforce instances may have been exposed.
Austin Larsen, principal threat analyst at Google, said the company was tracking the situation and monitoring for wider fallout.
Soon after Salesforce’s disclosure, a hacking group calling itself Scattered Lapsus$ Hunters — which includes members of ShinyHunters, Scattered Spider and Lapsus$ — claimed responsibility in a Telegram channel viewed by TechCrunch.
The group alleged that it accessed systems belonging to multiple major companies, including Atlassian, CrowdStrike, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters and Verizon.
Google declined to comment on individual victims.
Companies respond amid confusion
CrowdStrike, which was named by the hackers, denied being impacted. Its spokesperson said the company “is not affected by the Gainsight issue,” adding that a “suspicious insider” had been terminated for allegedly sharing information with hackers.
Verizon said it was aware of the hackers’ “unsubstantiated claim”, while Malwarebytes, Thomson Reuters and others noted they were still investigating the matter.
Docusign said it found no evidence of a data compromise but had suspended all integrations with Gainsight out of caution.
Several other companies named by the hackers have yet to comment.
Members of the ShinyHunters group told TechCrunch that their access originated from an earlier campaign targeting clients of Salesloft, which provides the Drift marketing platform. In that attack, they reportedly stole Drift authentication tokens, which allowed them to break into connected Salesforce instances and download stored data.
Gainsight previously confirmed it was among the victims of the Salesloft/Drift breach, giving hackers a pathway into its systems.
Salesforce and gainsight distancing themselves
Salesforce has insisted that there is no vulnerability in its platform, placing responsibility on external applications. It has temporarily revoked all active access tokens for Gainsight-linked apps as a precaution.
Gainsight, which is publishing updates on its incident page, said the breach stemmed from an external connection, not a flaw within Salesforce. The company is now working with Google-owned incident response firm Mandiant to investigate the intrusion. Forensic work is still underway.
Salesforce is notifying affected customers whose data was accessed.
Scattered Lapsus$ Hunters announced through Telegram that they plan to launch a dedicated extortion site next week to pressure victims — a tactic they used in October following the Salesloft-related breach.
The Scattered Lapsus$ Hunters collective is known for aggressive social-engineering attacks aimed at tricking employees into granting system access. Over the years, its members have claimed several high-profile breaches targeting companies including MGM Resorts, Coinbase and DoorDash.
