NextFin news, in a coordinated wave of cyberattacks disclosed between late October and November 2025, leading technology firms Salesforce and CrowdStrike revealed that they had each been targeted by a sophisticated threat group known as Scattered Lapsus$ Hunters. The attacks, unfolding across multiple dates in November, center around complex supply chain exploitation and insider collusion, underscoring evolving cybersecurity challenges facing enterprise cloud ecosystems.
Salesforce, a dominant cloud-based CRM provider headquartered in San Francisco, reported that unauthorized actors gained access to customer data through third-party applications integrated into their platform. The initial intrusion vector was traced back to Gainsight, a customer success platform whose OAuth authentication tokens had been compromised. This breach allowed hackers to pivot through trusted application channels and extract sensitive data from over 200 Salesforce customer instances. The company confirmed this on November 21, 2025, disabling all active Gainsight-related tokens and temporarily removing the associated apps from its AppExchange marketplace as precautionary measures. The incident was publicly linked to a multi-language cybercrime collective known as Scattered Lapsus$ Hunters, which includes notorious actors such as ShinyHunters and others.
Simultaneously, CrowdStrike, a Texas-based cybersecurity firm specializing in endpoint protection and threat intelligence, issued a statement addressing claims of a breach. While denying any system compromise, CrowdStrike acknowledged that it terminated an insider employee found leaking sensitive internal screenshots and credentials to the same threat group responsible for the Salesforce-linked breach. The insider allegedly facilitated hacker access by sharing unauthorized internal resources, including Okta dashboards that are critical to internal identity and access management. CrowdStrike acted swiftly, revoking the employee’s access and escalating the matter to law enforcement authorities by mid-November 2025.
The attack roots can be traced further back to September 2025, when attackers initially compromised Salesloft’s Drift platform—an application used by Gainsight. Stolen OAuth tokens from this breach enabled the attackers to infiltrate Gainsight’s Salesforce integrations and subsequently affected Salesforce’s customer data. Gainsight is actively cooperating with Google’s Mandiant and other incident response teams to conduct forensic investigations and strengthen security protocols. Meanwhile, Salesforce and its impacted customers are managing remediation efforts amidst ongoing threat monitoring.
The Scattered Lapsus$ Hunters collective, through their Telegram channels and dark web announcements, have already released portions of stolen data belonging to various high-profile corporations, including insurers, airlines, and technology firms. The group has openly declared intentions to launch an extortion portal demanding ransoms from affected organizations. This incident aligns with the group’s known tactics involving social engineering, token theft, and sophisticated lateral movement within trusted third-party service integrations.
This cascade of intrusions highlights the systemic risks embedded in software supply chains and interconnected cloud service ecosystems. The critical vulnerability exploited was not an inherent flaw in Salesforce’s core platform but rather abuse of delegated permissions through third-party software tokens and insider actions. Such attack vectors are increasingly preferred by threat actors for their ability to bypass traditional perimeter defenses.
Strategically, these incidents have exposed a growing trend towards supply chain attacks and insider threats in cybersecurity risk assessments. The Salesforce-Gainsight-CrowdStrike episode underscores how tightly woven partnerships and application ecosystems can become vectors for cascading compromises, impacting hundreds of clients globally. According to Google’s Threat Intelligence team, more than 200 Salesforce instances were potentially compromised, emphasizing the scale and breadth of the attack surface.
The impact of this security breach is multifaceted. Immediately, affected organizations face heightened risks of data exposure, operational disruptions, and reputational damage. Regulatory scrutiny may intensify under frameworks such as GDPR and the evolving U.S. data protection initiatives under President Donald Trump's administration. Furthermore, the incident stresses the importance of continuous monitoring of OAuth token usage, zero-trust network architectures, and robust insider threat programs. CrowdStrike’s proactive removal of the insider and Salesforce's rapid revocation of compromised tokens illustrate emerging best practices but also reveal vulnerability gaps in securing internal personnel and third-party integrations.
Looking forward, the incident is likely to accelerate industry-wide discussions on third-party risk management, including tighter app vetting processes, more granular permission controls, and enhanced auditability of API integrations in cloud platforms. Security vendors and enterprise consumers must prioritize layered defense strategies that anticipate not only external threat actors but also malicious insiders and the exploitation of trusted software links.
Moreover, the threat actor group’s demonstrated capability to navigate complex ecosystems suggests an evolution toward more collaborative and distributed cybercrime models. The emergence of collectives like Scattered Lapsus$ Hunters combining multiple smaller gangs magnifies operational scale and attack sophistication. Enterprises should expect such alliances to further challenge conventional incident response and demand coordinated intelligence sharing among vendors, clients, and government agencies.
In sum, while Salesforce retained confidence that its own architecture was uncompromised, the cascading effects of supply chain breaches via Gainsight and insider-enabled leaks at CrowdStrike reveal critical systemic weaknesses. The events of November 2025 serve as a compelling case study emphasizing the need for holistic cybersecurity strategies that encompass third-party software governance, insider threat mitigation, and resilient identity management in the evolving digital risk landscape.
According to The Information, these incidents mark some of the most significant security disclosures in enterprise software ecosystems this year and reaffirm that as digital integration intensifies, so too does the complexity of defending data privacy and cloud infrastructure integrity.
Explore more exclusive insights at nextfin.ai.