Salesforce Says Customer Data May Be Exposed in Gainsight Incident - "Unusual Activity" Being Probed

Summary

Salesforce disclosed that unauthorized access to customer data occurred through Gainsight‑published applications on its platform, prompting the company to revoke all active access and refresh tokens for those apps and temporarily pull them from the AppExchange. The breach is linked to the ShinyHunters group, which leveraged OAuth tokens stolen in the August 2025 Salesloft breach to infiltrate Gainsight’s external connections, extracting business contact details, licensing information, and support case content. Salesforce emphasized that the incident did not stem from a vulnerability in its core platform but from the third‑party app’s external integration. Affected customers have been notified directly and further updates will be provided.