Gainsight, a customer success platform provider, suffered a security breach where unauthorized actors (linked to the **Shiny Hunters** extortion group) exploited its Salesforce-connected applications. The attack began with reconnaissance on **November 8, 2025**, followed by intrusions between **November 16–23** via VPNs, Tor, and AWS-linked IPs. Attackers used malicious **User-Agent strings** (e.g., *Salesforce-Multi-Org-Fetcher/1.0*) to bypass authentication, mirroring tactics from the prior **Salesloft Drift attack**. While Gainsight initially reported **only 3 affected customers**, the number later expanded, with CEO Chuck Ganapathi acknowledging a 'handful' of victims with confirmed data theft. Shiny Hunters claimed **three months of undetected access**, though no public data leaks were verified by **Unit 42/Palo Alto Networks** as of the report. Salesforce revoked Gainsight’s OAuth tokens, disabled its app integrations, and urged customers to audit logs, rotate S3 keys, reset passwords, and reauthorize integrations. The breach’s scope—including potential **customer data exposure**—remains under investigation by **Salesforce, Gainsight, and Mandiant**, with Shiny Hunters hinting at broader 2025 victim counts (1.5K+).
Source: https://www.helpnetsecurity.com/2025/11/26/gainsight-breach-salesforce-details-attack-window/
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI0892408112625",
"linkid": "gainsight",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Handful (exact number '
'undisclosed, initially 3, later '
'expanded)',
'industry': 'Technology',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Cloud CRM Provider'},
{'customers_affected': 'Handful (exact number '
'undisclosed)',
'industry': 'Technology',
'location': 'San Francisco, California, USA',
'name': 'Gainsight',
'size': 'Enterprise',
'type': 'Customer Success Platform'}],
'attack_vector': ['Compromised OAuth Tokens',
'Malicious User Agent Strings',
'VPN/Tor/AWS IP Spoofing'],
'customer_advisories': ['Temporarily disable Gainsight-Salesforce connection.',
'Review API and authentication logs for suspicious '
'activity.',
'Follow password rotation and reauthorization '
'guidelines.'],
'data_breach': {'data_exfiltration': 'Alleged (Claimed by Shiny Hunters, '
'Unverified)',
'personally_identifiable_information': 'Potential '
'(Unconfirmed)'},
'date_detected': '2025-11-08',
'date_publicly_disclosed': '2025-11-21',
'description': 'The number of Salesforce customers affected by the recent '
'compromise of Gainsight-published applications is yet to be '
'publicly confirmed. Salesforce released indicators of '
'compromise (IoCs) and revealed that the attack likely started '
'on November 8, 2025, with reconnaissance and unauthorized '
'access activity. Suspicious intrusions occurred between '
'November 16 and 23, 2025, from IP addresses linked to '
'commercial VPN services, the Tor network, and AWS. Malicious '
'user agent strings, including '
"'Salesforce-Multi-Org-Fetcher/1.0,' were used for "
'unauthorized access. Salesforce revoked Gainsight’s OAuth '
'tokens but assured customers that audit trails and logs '
'remain intact. The investigation is ongoing, involving '
'Salesforce, Gainsight, and Mandiant. Gainsight confirmed a '
"'handful' of customers had data affected and advised security "
'measures like rotating S3 bucket keys and resetting '
'passwords. The breach was claimed by the Shiny Hunters cyber '
'extortion collective, who alleged access to Gainsight for '
'nearly 3 months.',
'impact': {'brand_reputation_impact': 'Moderate (Public Disclosure of Breach, '
'Ongoing Investigation)',
'data_compromised': True,
'downtime': 'Temporary (Gainsight-Salesforce connection disabled)',
'identity_theft_risk': 'Potential (if PII was accessed)',
'operational_impact': ['Disrupted Gainsight-Salesforce Integration',
'Manual Login Required for Gainsight NXT',
'Reauthorization of Connected Apps'],
'systems_affected': ['Gainsight-Published Applications',
'Salesforce Connected App',
'S3 Buckets']},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (Claimed by '
'Shiny Hunters)',
'entry_point': ['Compromised Gainsight Connected '
'App',
'Malicious User Agent '
"('Salesforce-Multi-Org-Fetcher/1.0')"],
'high_value_targets': ['Salesforce Customer Data',
'Gainsight NXT User '
'Credentials'],
'reconnaissance_period': '~3 months (claimed by '
'Shiny Hunters)'},
'investigation_status': 'Ongoing (Salesforce, Gainsight, Mandiant)',
'motivation': ['Data Theft', 'Extortion', 'Financial Gain'],
'post_incident_analysis': {'root_causes': ['Insufficient validation of user '
'agent strings in Gainsight '
'Connected App.',
'Lack of IP restrictions for API '
'calls from Gainsight.',
'Potential OAuth token '
'mismanagement.']},
'ransomware': {'data_exfiltration': 'Alleged (Claimed by Shiny Hunters)'},
'recommendations': ['Review Salesforce logs for unexpected activity related '
'to Gainsight connections.',
'Rotate S3 bucket access keys used for Gainsight '
'connections.',
'Log in to Gainsight NXT directly (avoid Salesforce SSO '
'until restored).',
'Reset passwords for non-SSO users in Gainsight NXT.',
'Re-authorize connected apps/integrations relying on user '
'credentials.',
'Monitor for IoCs (IPs, User Agents) provided by '
'Salesforce/Gainsight.',
'Implement stricter OAuth token management and user agent '
'validation.'],
'references': [{'date_accessed': '2025-11-21',
'source': 'Salesforce Advisory'},
{'date_accessed': '2025-11-21',
'source': 'Gainsight Customer Advisory'},
{'date_accessed': '2025-11-24',
'source': 'Palo Alto Networks (Unit 42) Analysis'},
{'date_accessed': '2025-11-24',
'source': 'Shiny Hunters Telegram Post'}],
'response': {'communication_strategy': ['Public Advisories from Salesforce & '
'Gainsight',
'Customer Guidance for Log Review',
'Ongoing Updates on Investigation'],
'containment_measures': ['Revoked Gainsight OAuth Tokens',
'Disabled Gainsight-Salesforce '
'Connection',
'Published IoCs for Customer Review'],
'enhanced_monitoring': 'Recommended (Review Salesforce Logs for '
'Unexpected Activity)',
'incident_response_plan_activated': True,
'recovery_measures': ['Environment Hardening by Gainsight',
'Restoration of Salesforce Connected App '
'(Pending)'],
'remediation_measures': ['Rotated S3 Bucket Access Keys',
'Password Resets for Non-SSO Users',
'Reauthorization of Connected Apps'],
'third_party_assistance': ['Mandiant',
'Palo Alto Networks (Unit 42)']},
'stakeholder_advisories': ['Salesforce IoC List',
'Gainsight Security Recommendations',
'Mandiant Investigation Support'],
'threat_actor': 'Shiny Hunters',
'title': 'Compromise of Gainsight-Published Applications Affecting Salesforce '
'Customers',
'type': ['Unauthorized Access', 'Data Breach', 'API Abuse'],
'vulnerability_exploited': ['Weak OAuth Token Management',
'Insufficient User Agent Validation',
'Lack of IP Restrictions for Connected Apps']}