Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought.
The company said Salesforce initially provided a list of 3 impacted customers and that it has “expanded to a larger list” as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said “we presently know of only a handful of customers who had their data affected.”
The development comes as Salesforce warned of detected “unusual activity” related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach has been claimed by a notorious cybercrime group known as ShinyHunters (aka Bling Libra).
A number of other precautionary steps have been enacted to contain the incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com. HubSpot, in its own advisory, said it found no evidence to suggest any compromise of its own infrastructure or customers.
In an FAQ, Gainsight has also listed the products for which the ability to read and write from Salesforce has been temporarily unavailable –
- Customer Success (CS)
- Community (CC)
- Northpass – Customer Education (CE)
- Skilljar (SJ)
- Staircase (ST)
The company, however, emphasized that Staircase is not affected by the incident and that Salesforce removed the Staircase connection out of caution in response to an ongoing investigation.
Both Salesforce and Gainsight have published indicators of compromise (IoCs) associated with the breach, with one user agent string, “Salesforce-Multi-Org-Fetcher/1.0”, used for unauthorized access, also flagged as previously employed in the Salesloft Drift activity.
According to information from Salesforce, reconnaissance efforts against customers with compromised Gainsight access tokens were first recorded from the IP address “3.239.45[.]43” on October 23, 2025, followed by subsequent waves of reconnaissance and unauthorized access starting November 8.
To further secure their environments, customers are asked to follow the steps below –
- Rotate the S3 bucket access keys and other connectors like BigQuery, Zuora, Snowflake etc., used for connections with Gainsight
- Log in to Gainsight NXT directly, rather than through Salesforce, until the integration is fully restored
- Reset NXT user passwords for any users who do not authenticate via SSO.
- Re-authorize any connected applications or integrations that rely on user credentials or tokens
“These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues,” Gainsight said.
The development comes against the backdrop of a new ransomware-as-a-service (RaaS) platform called ShinySp1d3r…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
