Gainsight Reports Expanded Impact of Cyber Incident
Gainsight has announced that recent suspicious activity affecting its applications has impacted more customers than initially anticipated. The company revealed that Salesforce initially identified three customers at risk, but by November 21, 2025, this list had grown significantly. While the exact number of affected customers remains undisclosed, CEO Chuck Ganapathi stated that they are currently aware of only a handful of clients whose data has been compromised.
This alarming development follows a warning from Salesforce regarding “unusual activity” linked to applications published by Gainsight, prompting the immediate revocation of all access and refresh tokens associated with these programs. The threat has been attributed to a notorious cybercriminal group known as ShinyHunters, also referred to as Bling Libra.
In response to the breach, several companies—including Zendesk, Gong.io, and HubSpot—have temporarily suspended their Gainsight integrations. Google has also disabled OAuth clients that connect to Gainsight, specifically those with callback URIs associated with gainsightcloud.com. HubSpot has reported that there is currently no evidence suggesting any compromise of their infrastructure or customer data.
Gainsight has proactively listed the products for which the ability to read and write data from Salesforce is temporarily unavailable. These include Customer Success (CS), Community (CC), Northpass—Customer Education (CE), Skilljar (SJ), and Staircase (ST). Notably, Staircase is deemed unaffected by the incident; its connection was removed purely as a precaution while an investigation is underway.
Both Salesforce and Gainsight have released indicators of compromise (IoCs) associated with the incident, including a user agent string “Salesforce-Multi-Org-Fetcher/1.0,” which has been flagged as a means of unauthorized access. Salesforce disclosed that reconnaissance activities using compromised Gainsight access tokens were first observed from the IP address “3.239.45[.]43” on October 23, 2025, with further unauthorized access attempts recorded from November 8 onward.
In light of the situation, Gainsight has recommended several security measures for its customers. These include rotating access keys for S3 buckets and other connectors, logging into Gainsight NXT directly rather than through Salesforce, and resetting passwords for NXT users who do not utilize single sign-on (SSO). These steps are part of the company’s preventative strategy to ensure security while investigations continue.
This incident comes at a time when a new ransomware-as-a-service (RaaS) platform known as ShinySp1d3r is emerging, developed by Scattered Spider, LAPSUS$, and ShinyHunters. Reports indicate that this coalition has been responsible for at least 51 cyberattacks in the past year. ShinySp1d3r reportedly features advanced capabilities including the ability to bypass standard security measures, making it a formidable threat to organizations.
The identity of the individual behind the ransomware has been revealed as “Rey,” a core member of SLSH, who has a history of involvement in other significant cybercrime activities. He disclosed that ShinySp1d3r builds upon prior ransomware efforts, incorporating artificial intelligence tools for enhanced malicious capabilities.
As this situation unfolds, businesses should remain vigilant. The tactics observed in this breach are illustrative of several MITRE ATT&CK techniques such as initial access via compromised credentials and reconnaissance activities. Organizations should prepare and strengthen their defenses against these increasingly sophisticated cyber threats. With the convergence of RaaS and EaaS offerings, the landscape of cybercrime is evolving, posing heightened risks for businesses in the tech sector and beyond.