Salesforce Data Breach Exposes Customer Records via Gainsight App

On Nov. 20, 2025, Salesforce, a cloud-based software company, identified unusual activity on its network involving Gainsight-published applications connected to Salesforce. The internal investigation revealed that unauthorized threat actors may have accessed sensitive customer data through the app's connection.

According to reports, the attack was carried out by a cybercriminal organization, ShinyHunters. The group claims to have exfiltrated data from nearly 1,000 organizations connected to Salesforce via the Gainsight app. However, these numbers are not yet verified. The information potentially exposed included personally identifiable information (PII) such as names, email addresses, business contact details, account information and customer engagement metrics.

Salesforce notes that it revoked all access to Gainsight-published apps and temporarily removed them from the AppExchange while the investigation continues. As of this writing, the latest latest status update from Gainsight notes that they, "continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce."

Salesforce posted a notice to consumers on Nov. 20, 2025. Gainsight has also published an FAQ on its website concerning the connected app incident.

The severity of the breach is underscored by the fact that Salesforce is the world’s leading CRM provider, serving thousands of organizations globally. The incident not only compromised sensitive business data but also raised concerns about the security of third-party integrations and the need for rigorous monitoring of vendor access within enterprise ecosystems.

The potential exposure of PII puts individuals, businesses and the customers they serve at risk for identity theft and financial fraud.

Salesforce's response

In response to the breach, Salesforce and Gainsight initiated immediate investigations and worked to identify and secure the compromised integration points. However, the investigation is ongoing, and more details may surface. Both companies have since reviewed and updated their security protocols, focusing on strengthening third-party app vetting processes and enhancing monitoring of vendor connections.

Affected organizations have been notified and provided with guidance on reviewing their connected apps, revoking unnecessary permissions, and implementing additional security controls such as multi-factor authentication and regular access reviews.

At this time, no specific consumer protection services such as credit monitoring have been announced, as the breach primarily affected business contact information rather than financial or health data. However, organizations are encouraged to remain vigilant and follow best practices for securing their Salesforce environments.