On November 19, Salesforce posted a security advisory on its site:
Security Advisory: Unusual Activity Related to Gainsight Applications
Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection. Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues. There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce. We have notified known affected customers directly and will continue to provide updates as appropriate. Customers who need assistance can reach us through Salesforce Help: https://help.salesforce.com/s.
Posted 10:57 pm EST, Nov 19 2025 · Last updated 10:57 pm EST, Nov 19 2025
Given Salesforce’s history of being targeted by ShinyHunters and its collective associates, DataBreaches reached out to ask ShinyHunters if the Gainsight campaign was their doing.”Unfortunately, yes,” their spokesperson responded, clarifying that the “Unfortunately” was as in “it’s unfortunate that this is probably the 3rd of 4th large-scale campaign against Salesforce by the same group again.”
According to the spokesperson, they plan to launch another dedicated leak site if Salesforce does not comply with them.
“The next DLS will contain the data of the Salesloft and GainSight campaigns,” they stated, “which is, in total, almost 1000 organisations. Only actual companies, mainly Fortune 500 will be listed or things I feel would be worth it. From the GainSight campaign the large companies were: Verizon, Gitlab, F5, Sonicwall, and others.”