Incident Watch

Obsidian Security Customer Alert on Salesforce-Gainsight Data Breach

Stay updated on the Gainsight breach tied to the Salesloft–Drift attack. Obsidian Security shares live intelligence, impact details, and critical customer actions.

Was Your Salesforce Data Exposed?Contact Us

LIVE UPDATE : 11/20/25, 12:48PM PST

In order to assist the greater industry with investigating this emerging threat, Obsidian is publishing the following IOCs with a moderate confidence:

IP: 3.239.45.43

User Agent: Python/3.11 aiohttp/3.13.1

Access from this IP and/or User Agent has primarily been observed on October 22nd and 23rd.

LIVE UPDATE: 11/20/25, 10:09AM PST

Gainsight has been breached through a compromised SaaS-to-SaaS integration, continuing the cascade set off by the Salesloft Drift attack. Activity detected in Gainsight’s app indicates that unauthorized access to Salesforce data was possible through this integration, prompting Salesforce to revoke all active access and refresh tokens.

What looked at first like isolated anomalies quickly magnified into something far more serious: suspicious behavior inside Gainsight integrations that likely enabled unauthorized access to certain customers’ Salesforce data through that connection.

How this has unfolded

Today, Salesforce issued a security advisory alerting to unusual activity related to Gainsight applications. The investigation showed suspicious behavior in Gainsight integrations that likely enabled unauthorized access to certain customers’ Salesforce data through that connection.

At 03:35 UTC, status updates from Gainsight reported connection failures. Behind the scenes, Salesforce had already begun to revoke integration access as a protective measure. Since initial reports, Gainsight teams have been working with Salesforce to investigate the scope of the unusual activity and the magnitude of this breach.

The extortion group ShinyHunters has claimed responsibility in breaching Gainsight, leveraging stolen tokens and secrets from the earlier Salesloft–Drift supply-chain compromise. According to the report, ShinyHunters said they accessed roughly 285 additional Salesforce instances after compromising Gainsight, where the attackers had previously exposed business contact data, including names, business emails, phone numbers, location details, licensing info and support-case records. 

In late August 2025, threat actors executed a major supply chain attack through Salesloft Drift, another widely used Salesforce integration. OAuth tokens stolen in that breach were later used against more than seven hundred companies, including Gainsight.

What Customers Should Immediately Consider:

  • Short-term: Revoke Gainsight access in Salesforce and other connected SaaS (such as M365) and review event logs (API calls, exports, unusual queries) to identify data accessed through window of exposure
  • Long-term: Review OAuth scopes requested by Gainsight and other integrations, remove bulk read/write or admin-level scopes, apply read-only data where possible, continue to monitor for targeted social engineering or credential harvesting

Download Now

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo