Salesforce said Wednesday it is investigating a breach of “certain customers’ Salesforce data” that was compromised through apps published by Gainsight, a company that sells a platform for other companies to manage their customers.
In a statement released late WednesdaySalesforce said the hacks involved “apps published by Gainsight that connect to Salesforce and are installed and managed directly by customers.”
Salesforce said there was “no indication that this issue stemmed from any vulnerability in the Salesforce platform” and that the activity appeared to be related to Gainsight’s “external connection to Salesforce.”
When reached for comment, Salesforce spokeswoman Nicole Aranda referred TechCrunch to the company’s page dedicated to the incident.
Contact us
Do you have more information about these Salesforce and Gainsight data breaches? Or other data breaches? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
As of this writing, Gainsight said on a status page that it’s investigating a “Salesforce login issue,” making no mention of a possible breach. “Our internal investigation is ongoing,” Gainsight wrote.
A representative for Gainsight did not immediately respond to TechCrunch’s request for comment.
On its website, Gainsight advertises several enterprise customers, including Airtable, Notion, GitLab and others. When contacted via email, GitLab spokeswoman Emily James told TechCrunch that “GitLab’s security team is investigating, and we’ll get back to you when we have more to share.”
Techcrunch event
San Francisco
|
13-15 October 2026
The prolific ShinyHunters hacker team told the cybersecurity news site DataBreaches.net that it was behind the breach, adding that if Salesforce doesn’t negotiate with them, it will create a new website to advertise the stolen data — a common extortion tactic by financially motivated cybercriminals.
“The next one [data leak site] it will contain the data of Salesloft and GainSight campaigns,” the hackers told DataBreaches.net. Hackers claim to have stolen data from nearly a thousand companies.
This data breach appears similar to an August breach at AI marketing chatbot maker Salesloft, which allowed hackers to break into some of its customers’ connected Salesforce instances to steal sensitive data, such as access tokens for other services. Victims included insurance giant Allianz Life, Bugcrowd, Cloudflare, Google, fashion group Kering, Proofpoint, airline Qantas, automaker Stellantis, credit bureau TransUnion, employee management platform Workday and others.
In the case of the Salesloft hacks, the Scattered Lapsus$ Hunters hacker group, which apparently includes the ShinyHunters gang, took responsibility.
Last month, hackers created a special website to blackmail victims of the breaches, where they threatened to release a billion files.
At the time, Gainsight confirmed was among the victims of the Salesloft-related breaches, but it’s unclear if this new wave of hacks stemmed from its previous compromise.
