Google says hackers stole data from 200 companies following Gainsight breach

Google has confirmed that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. On Thursday,Salesforce disclosed a breachof “certain customers’ Salesforce data” — without naming affected companies — that was stolen via apps published by Gainsight, which provides a customer support platform to other companies. In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.” After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen. The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Contact UsDo you have more information about these Salesforce and Gainsight data breaches? Or other data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, oremail. Google would not comment on specific victims. CrowdStrike’s spokesperson Kevin Benacci told TechCrunch in a statement that the company is “not affected by the Gainsight issue and all customer data remains secure.” CrowdStrike confirmed to TechCrunch thatit terminated a “suspicious insider”for allegedly passing information to hackers. TechCrunch reached out to all the companies mentioned by Scattered Lapsus$ Hunters. Verizon spokesperson Kevin Israel said in a statement that “Verizon is aware of the unsubstantiated claim by the threat actor,” without providing evidence for this claim. Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company’s security team is “aware” of the Gainsight and Salesforce issues and “actively investigating the matter.” A spokesperson for Thomson Reuters said the company is “actively investigating.” Michael Adams, the chief information security officer at Docusign told TechCrunch in a statement that “following a comprehensive log analysis and internal investigation, we have no indication of Docusign data compromise at this time.” However, Adams said that, “out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows.” At the time of publishing, none of the other companies responded to requests for comment. Hackers with the ShinyHunters group told TechCrunch in an online chat that they gained access to Gainsight thanks totheir previous hacking campaignthat targeted customers of Salesloft, which provides an AI and chatbot-powered marketing platform called Drift. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their linked Salesforce instances and download their contents. At the time, Gainsightconfirmedit was among the victims of that hacking campaign. “Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us,” a spokesperson for the ShinyHunters group told TechCrunch. Salesforce spokesperson Nicole Aranda told TechCrunch that “as a matter of policy, Salesforce does not comment on specific customer issues.” Gainsight did not respond to TechCrunch’s requests for comment. On Thursday, Salesforcesaidthere is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” effectively distancing itself from its customers’ data breaches. Gainsight has been publishing updates about the incidenton its incident page. On Friday, the company said that it is now working with Google’s incident response unit Mandiant to help investigate the breach, that the incident in question “originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform,” and that “a forensic analysis is continuing as part of a comprehensive and independent review.” “Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues,” according to Gainsight’s incident page, which said Salesforce is notifying affected customers whose data was stolen. In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is the group’s modus operandi; in October,the hackers also published a similar extortion websiteafter stealing victims’ Salesforce data in the Salesloft incident. The Scattered Lapsus$ Hunters is a collective of English-speaking hackers made up of several cybercriminal gangs, includingShinyHunters,Scattered Spider, andLapsus$, whose members usesocial engineering tacticsto trick company employees into granting the hackers access to their systems or databases. In the last few years, these groups have claimedseveral high-profile victims, such asMGM Resorts,Coinbase,DoorDash, and more. This story was updated to include comments from Docusign, Thomson Reuters, and Verizon. Topics Senior Reporter, Cybersecurity Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy. You can contact or verify outreach from Lorenzo by [email protected], via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram. StrictlyVC concludes its 2025 series with an exclusive event featuring insights from leading VCs and builders such as Pat Gelsinger, Mina Fahmi, and more. Plus, opportunities to forge meaningful connections. Anduril’s autonomous weapons stumble in tests and combat, WSJ reports The future will be explained to you in Palo Alto Why ‘hold forever’ investors are snapping up venture capital ‘zombies’ Altman describes OpenAI’s forthcoming AI device as more peaceful and calm than the iPhone OpenAI learned the hard way that Cameo trademarked the word ‘cameo’ Anthropic releases Opus 4.5 with new Chrome and Excel integrations US banks scramble to assess data theft after hackers breach financial tech firm