Full Report
Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought. The company said Salesforce initially provided a list of 3 impacted customers and that it has "expanded to a larger list" as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said "we
Analysis Summary
# Incident Report: Gainsight Customer Data Exposure via Salesforce Integration
## Executive Summary
Suspicious activity targeting Gainsight applications connected to Salesforce has resulted in an expanding scope of customer compromise, initially identified by Salesforce. The incident, claimed by the ShinyHunters group, prompted immediate response actions including revoking access tokens and advising customers to rotate credentials. The investigation is ongoing, with the impacted customer count growing, although the CEO stated only a "handful" of customers had their data affected as of the latest update.
## Incident Details
- **Discovery Date:** Initial advisory/warning likely surrounding November 8, 2025 (based on reconnaissance start).
- **Incident Date:** Reconnaissance started October 23, 2025; subsequent unauthorized access waves began November 8, 2025. Confirmed expanded list as of November 21, 2025.
- **Affected Organization:** Gainsight (Impacted customers using Gainsight applications integrated with Salesforce).
- **Sector:** Technology / SaaS (Customer Success Platform)
- **Geography:** Not specified, but impacts global customers utilizing Salesforce.
## Timeline of Events
### Initial Access
- **Date/Time:** Reconnaissance began on October 23, 2025.
- **Vector:** Compromised access tokens related to Gainsight-published applications connected to Salesforce.
- **Details:** Unauthorized access utilized the user agent string "Salesforce-Multi-Org-Fetcher/1.0", previously associated with Salesloft Drift activity.
### Lateral Movement
- **Details:** The attacker conducted reconnaissance waves starting November 8, 2025, against Salesforce organizations with compromised Gainsight access tokens, originating from IP address `3.239.45[.]43` in the initial phase.
### Data Exfiltration/Impact
- **Details:** The outcome is customer data being affected, though the exact volume and nature are not fully detailed, other than the CEO confirming a "handful" of customers had their data affected. The threat actor ShinyHunters claimed responsibility.
### Detection & Response
- **Detection:** Not explicitly stated when Gainsight detected the activity; it appears Salesforce initiated the warning for "unusual activity" prompting the initial response.
- **Response Actions:** Salesforce revoked all access and refresh tokens associated with the affected Gainsight applications. Gainsight published FAQs and IoCs. Third parties (Zendesk, Gong.io, HubSpot) temporarily suspended Gainsight integrations out of caution.
## Attack Methodology
- **Initial Access:** Compromised OAuth tokens/access keys associated with Gainsight integrations connected to Salesforce environments.
- **Persistence:** Not explicitly detailed, but token compromise suggests potential session persistence.
- **Privilege Escalation:** Not specified, likely leveraged existing legitimate token permissions.
- **Defense Evasion:** Attacker utilized a known user agent string ("Salesforce-Multi-Org-Fetcher/1.0").
- **Credential Access:** Not specified, but likely involved leveraging stolen or compromised integration tokens.
- **Discovery:** Recognized via reconnaissance waves starting November 8, 2025, emanating from the specific IP address `3.239.45[.]43`.
- **Lateral Movement:** Movement occurred between various customers' Salesforce instances connected to Gainsight via the compromised tokens.
- **Collection:** Data gathering occurred within affected customer environments.
- **Exfiltration:** Data was likely exfiltrated, leading to the "affected data" conclusion.
- **Impact:** Unauthorized access and potential data exposure for an expanding list of customers.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Data belonging to a continually expanding list of customers was affected, though Gainsight states only a "handful" is known to have actual data impact.
- **Operational:** Temporary disruption to customer operations relying on Gainsight integrations with Salesforce, including CS, Community, Northpass, and Skilljar (Staircase connection removed out of caution).
- **Reputational:** Disclosure of expanding impact may affect customer trust, exacerbated by the claim from the notorious ShinyHunters group.
## Indicators of Compromise
- **Network indicators (Defanged):** Found reconnaissance source IP: `3.239.45[.]43`.
- **File indicators:** None provided in the text.
- **Behavioral indicators:** Observed User Agent String: `Salesforce-Multi-Org-Fetcher/1.0`.
## Response Actions
- **Containment:** Salesforce revoked all access and refresh tokens associated with the targeted Gainsight applications.
- **Eradication:** Customers were strongly advised to take preventative steps (see below).
- **Recovery:** Integrations that rely on user credentials/tokens required re-authorization once the security posture was verified.
## Lessons Learned
- The initial scope provided by security partners (Salesforce initially listing 3 customers) was significantly underestimated, indicating potential blind spots in early monitoring or communication channels.
- Reliance on third-party application tokens (like Gainsight integrations with Salesforce) represents a critical exposure point that requires strong credential hygiene and monitoring.
- The sophistication of the threat actor (ShinyHunters/ShinySp1d3r alliance involvement) suggests a targeted and persistent approach.
## Recommendations
- **Credential Rotation:** Immediately rotate S3 bucket access keys and credentials for other connected services such as BigQuery, Zuora, and Snowflake used with Gainsight.
- **Authentication Segregation:** Customers should log in to Gainsight NXT directly (if possible) rather than relying solely on the Salesforce integration until full restoration.
- **Password Reset (Non-SSO):** Reset NXT user passwords for any users not authenticating via Single Sign-On (SSO).
- **Application Re-Authorization:** Re-authorize all connected applications or integrations dependent on user credentials or tokens.