## salesforce Customers perhaps Exposed in Latest Breach Campaign
salesforce has acknowledged unusual activity impacting customers utilizing Gainsight applications connected to its platform. A security advisory posted on November 19, 2025, details the incident, stating the activity may have allowed unauthorized access to customer data through the applications’ external connections.
According to the advisory, salesforce instantly revoked access and refresh tokens for all Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while investigating. The company emphasizes that the issue does not appear to stem from a vulnerability within the Salesforce platform itself. Affected customers have been directly notified, and Salesforce is directing those needing assistance to its help resources: https://help.salesforce.com/s.The breach is reportedly the work of the threat group ShinyHunters, who have previously targeted Salesforce and its ecosystem.DataBreaches confirmed the group’s involvement through a direct dialogue, with a spokesperson stating this is highly likely their “3rd or 4th large-scale campaign” against Salesforce.
ShinyHunters has threatened to launch a dedicated leak site (DLS) containing data from the Salesloft and gainsight campaigns, potentially impacting nearly 1000 organizations. The group indicated they will prioritize listing data from larger companies, especially those within the Fortune 500. Specifically, the spokesperson named Verizon, GitLab, F5, and Sonicwall as organizations affected by the Gainsight campaign, alongside other unnamed entities. The group stated the leak site will be activated if Salesforce does not meet their demands.
