A Deep Look at What Happened, How It Started, and Why This Attack Matters
Google has confirmed a large-scale supply chain attack that affected more than 200 companies. The incident began with a breach at Gainsight, a customer-support platform used by many major businesses. The stolen data was stored inside Salesforce environments, but the attack did not come from Salesforce itself. Instead, it came from compromised third-party integrations linked to Gainsight.
This is now one of the most serious enterprise data-thefts of the year, and it shows how modern cyberattacks are expanding through chains rather than direct platform vulnerabilities.
On Thursday, Salesforce publicly disclosed that “certain customers’ Salesforce data” had been stolen. They did not name the affected companies. Just hours later, Google Threat Intelligence Group confirmed that it was aware of over 200 potentially affected Salesforce instances.
The stolen data came through apps published by Gainsight. This means hackers did not break into Salesforce itself. Instead, they used Gainsight’s integrations as an entry point.
Soon after the disclosure, the hacking collective Scattered Lapsus$ Hunters claimed responsibility.
This group includes well-known names like ShinyHunters, Scattered Spider, and Lapsus$ — the same groups linked to previous high-profile attacks on MGM Resorts, DoorDash, Coinbase, and others.
The new Gainsight breach did not happen in isolation. It is directly linked to a previous campaign that targeted Salesloft’s Drift platform, an AI-powered marketing system used by businesses to automate sales interactions.
Timeline
Earlier attack (Month not specified, but recent):
- Hackers compromised customers of Salesloft Drift.
- They stole Drift authentication tokens, which gave them access to connected Salesforce accounts.
- Gainsight was one of the customers affected in that earlier attack.
- This allowed hackers to compromise Gainsight fully.
Next phase (This week):
- Using the compromised Gainsight apps, hackers accessed many companies’ Salesforce instances.
- They downloaded stored customer data from those tenant environments.
Thursday:
- Salesforce disclosed the issue.
- Google confirmed the scale: 200+ affected companies.
- Scattered Lapsus$ Hunters took responsibility on Telegram.
Friday:
- Gainsight posted updates.
- They confirmed that the breach originated from “external connections,” not Salesforce itself.
- Gainsight started working with Google-owned Mandiant for forensic investigation.
- Salesforce revoked all active Gainsight tokens to prevent further data access.
Now hackers are planning to start an extortion website targeting victims, similar to what they did after the Salesloft breach in October.
Which Companies Are Allegedly Impacted?
Scattered Lapsus$ Hunters listed several major names, including:
- Atlassian
- CrowdStrike
- Docusign
- F5
- GitLab
- Malwarebytes
- SonicWall
- Thomson Reuters
- Verizon
Many companies have denied impact or said investigations are ongoing.
CrowdStrike stated that its systems were not affected, but admitted that a suspicious insider attempted to pass information to hackers. Docusign said it found no sign of compromise but still terminated all Gainsight integrations. Verizon called the hackers’ claim “unsubstantiated.” Several others are still investigating.
This breach did not happen because Salesforce was vulnerable. Salesforce has clearly stated that its platform had no security issue.
Instead, the attackers exploited third-party authentication tokens and app integrations that had broad data access inside Salesforce. Social engineering and insider manipulation were the key attack tools in this. This is a perfect example of how a single compromised vendor can trigger a cascading impact across hundreds of companies.
This is one of the biggest supply chain breaches targeting enterprise SaaS environments this year. It highlights three major risks. Companies trust apps like Gainsight, Drift, or marketing bots to access their Salesforce data. If one vendor gets compromised, all connected customers become vulnerable. Stolen tokens from Drift were enough to allow attackers to move laterally into Salesforce and then into Gainsight. Social engineering continues to bypass technical security, so companies must educate their employees to avoid such incidents.
