Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual activity. The breach was attributed to the extortion group **ShinyHunters**, with conflicting reports on its scale: Gainsight claimed only a 'handful of customers' were affected, while Google’s Threat Intelligence Group (GTIG) identified over **200 potentially compromised Salesforce instances**. Salesforce revoked all access tokens tied to Gainsight’s apps, and integrations with other platforms (HubSpot, Zendesk) were also disabled as a precaution. Forensic investigations, assisted by **Mandiant**, remain ongoing, with Gainsight’s Salesforce integration still offline. The breach exposed customer data, though the exact scope (e.g., types of data leaked or financial/reputational harm) remains undisclosed. Gainsight acknowledged login issues for some GSuite SSO users and is providing support to affected clients, but details on the breach’s broader impact—such as fraud, operational disruptions, or regulatory consequences—are unclear.
Source: https://www.theregister.com/2025/11/26/gainsight_ceos_handful_customers_data_stolen/
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI0502205112725",
"linkid": "gainsight",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ["Disputed: 'a handful' "
"(Gainsight) vs. '200+' (Google "
'Threat Intelligence Group)'],
'industry': 'Customer Success Platform',
'name': 'Gainsight',
'type': 'SaaS Company'},
{'customers_affected': '200+ (potentially)',
'name': 'Salesforce Customers (via Gainsight Connected '
'App)',
'type': 'CRM Users'}],
'attack_vector': ['Compromised Connected App',
'Token Theft',
'Third-Party Integration Exploitation'],
'customer_advisories': ['Direct Outreach to Affected Customers',
'Community Page Updates (Planned)',
'Town Halls for Customer Success Management'],
'data_breach': {'data_exfiltration': True},
'date_detected': '2023-11-19',
'date_publicly_disclosed': '2023-11-21',
'description': 'Gainsight experienced a data breach after Salesforce flagged '
'unusual activity involving its connected app. The breach was '
'linked to the ShinyHunters extortion group, with '
'discrepancies in the reported number of affected customers '
"(Gainsight claims 'a handful,' while Google Threat "
'Intelligence Group reports over 200 potentially affected '
'Salesforce instances). Salesforce revoked all access and '
'refresh tokens associated with Gainsight-published '
'applications, and Gainsight disabled its Salesforce '
'integration pending forensic investigation. The incident also '
"impacted Gainsight's GSuite SSO logins for a subset of "
'customers. Third-party integrations with HubSpot and Zendesk '
'were also revoked as a precaution.',
'impact': {'brand_reputation_impact': ['Contradictory Public Statements',
'Loss of Trust in Security Practices',
'Negative Media Coverage'],
'data_compromised': True,
'downtime': True,
'operational_impact': ['Disabled Salesforce Integration',
'Revoked CRM/Tool Connectors (HubSpot, '
'Zendesk)',
'Login Issues for GSuite SSO Users',
'Customer Success Operations Disrupted'],
'systems_affected': ['Salesforce Connected App',
'GSuite SSO (subset of customers)',
'HubSpot Integration',
'Zendesk Integration']},
'initial_access_broker': {'entry_point': 'Gainsight Connected App on '
'Salesforce',
'high_value_targets': ['Salesforce Customer Data',
'CRM Integrations (HubSpot, '
'Zendesk)']},
'investigation_status': 'Ongoing (Forensic Analysis by Mandiant)',
'motivation': ['Data Theft', 'Extortion', 'Financial Gain'],
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'The Register'},
{'source': 'Gainsight Blog Post (CEO Chuck Ganapathi)'},
{'source': 'Salesforce Security Advisory'}],
'response': {'communication_strategy': ['Blog Post by CEO Chuck Ganapathi',
'Community Page Updates (Planned)',
'Direct Outreach to Affected '
'Customers'],
'containment_measures': ['Revoked All Access/Refresh Tokens '
'(Salesforce)',
'Disabled Salesforce Integration',
'Revoked HubSpot/Zendesk Connectors',
'Investigating GSuite SSO Login Issues'],
'incident_response_plan_activated': True,
'remediation_measures': ['Forensic Analysis Ongoing',
'Customer Support Teams Established',
'Town Halls Hosted for Affected '
'Customers'],
'third_party_assistance': ['Google Mandiant (Forensic '
'Investigation)']},
'stakeholder_advisories': ['Salesforce Security Advisory (Indicators of '
'Compromise Shared)',
'HubSpot/Zendesk Connector Revocations'],
'threat_actor': 'ShinyHunters',
'title': 'Gainsight Data Breach via Salesforce Connected App',
'type': ['Data Breach', 'Unauthorized Access', 'Credential Compromise']}