Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers.

The cloud-based software company noted that this doesn’t stem from a vulnerability in its customer relationship management (CRM) platform since all evidence points to the malicious activity being related to the app’s external connection to Salesforce.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” it said in a Thursday morning advisory.

“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.”

Salesforce has alerted all impacted customers of this incident and advised those requiring further assistance to reach out to the Salesforce Help team.

While the company hasn’t provided more details regarding these attacks, this incident is similar to the August 2025 Salesloft breach, when an extortion group known as “Scattered Lapsus$ Hunters” stole sensitive information, including passwords, AWS access keys, and Snowflake tokens, from customers’ Salesforce instances, using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce.

The ShinyHunters extortion group told BleepingComputer at the time that the Salesloft data theft attacks affected around 760 companies, resulting in the theft of 1.5 billion Salesforce records.

Companies known to have been impacted in the Salesloft attacks include Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Nutanix, Qualys, and Cato Networks, among many others.

Today, in messages exchanged with BleepingComputer, ShinyHunters claimed they gained access to another 285 Salesforce instances after breaching Gainsight via secrets stolen in the Salesloft drift breach.

Gainsight previously confirmed it was breached via stolen OAuth tokens linked to Salesloft Drift and said the attackers accessed business contact details, including names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.

BleepingComputer reached out to Gainsight with questions about the data theft attacks related to Gainsight applications, but a response was not immediately available.