Gainsight, a customer support platform provider, experienced a cyber incident where malicious actors (linked to the **Scattered Spider-ShinyHunters-Lapsus$ collective**) exploited its **SFDC Connector app** to gain unauthorized access to **Salesforce customer data**. Salesforce revoked Gainsight’s app access and removed it from the AppExchange after detecting unusual activity. The attackers, who previously targeted **Salesloft Drift** using stolen OAuth tokens, confirmed plans to leak data from **nearly 1,000 companies**, including **Fortune 500 firms** (e.g., Verizon, GitLab, F5, SonicWall) via a dedicated leak site. The breach involved **CRM-layer data**, primarily **business contact information and Salesforce case texts**, accessed through over-permissioned third-party integrations. Gainsight also preemptively disabled connections to **HubSpot and Zendesk**. The threat actors hinted at launching a **ransomware-as-a-service (RaaS) platform**, escalating risks of further extortion. While no direct financial or operational disruption was confirmed, the exposure of **sensitive corporate and customer relationship data** poses severe reputational, compliance, and downstream fraud risks for affected enterprises.
Source: https://www.infosecurity-magazine.com/news/new-gainsight-supply-chain-hack/
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI1832518112125",
"linkid": "gainsight",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '~1000 companies (including '
'Fortune 500)',
'industry': 'SaaS/Tech',
'name': 'Gainsight',
'type': 'Customer Support Platform Provider'},
{'industry': 'SaaS/Tech',
'name': 'Salesforce',
'type': 'CRM Platform'},
{'industry': 'Telecom',
'name': 'Verizon',
'type': 'Telecommunications'},
{'industry': 'Tech',
'name': 'GitLab',
'type': 'DevOps Platform'},
{'industry': 'Tech',
'name': 'F5',
'type': 'Network Security'},
{'industry': 'Tech',
'name': 'SonicWall',
'type': 'Cybersecurity'}],
'attack_vector': ['Compromised OAuth Tokens',
'Over-Permissioned SaaS Applications',
'Supply Chain Attack'],
'data_breach': {'data_exfiltration': 'Claimed by threat actors (not '
'confirmed)',
'personally_identifiable_information': 'Limited (business '
'contact info)',
'sensitivity_of_data': 'Moderate (primarily business, not '
'highly sensitive PII)',
'type_of_data_compromised': ['Business contact information',
'Salesforce case text']},
'date_detected': '2023-11-20',
'date_publicly_disclosed': '2023-11-20',
'description': 'Salesforce revoked access to Gainsight applications due to '
'unusual activity, potentially enabling unauthorized access to '
'customer data via Gainsight SFDC Connector. The incident is '
'linked to the Scattered Lapsus$ Hunters group, who claimed '
'responsibility and threatened to leak data from ~1000 '
'companies, including Fortune 500 firms like Verizon, GitLab, '
'F5, and SonicWall. Gainsight disabled connections with '
'HubSpot and Zendesk as a precaution and engaged Mandiant for '
'forensic investigation. The attack leveraged OAuth tokens and '
'over-permissioned apps, mirroring a prior Salesloft Drift '
'hack.',
'impact': {'brand_reputation_impact': 'High (Fortune 500 companies affected; '
'public threat of data leak)',
'data_compromised': ['CRM-layer data (business contact info)',
'Salesforce case text'],
'downtime': 'Temporary disruption due to revoked access to '
'Gainsight applications',
'identity_theft_risk': 'Low (primarily business contact info '
'exposed)',
'operational_impact': 'Connection failures for '
'Gainsight-Salesforce integrations; forensic '
'investigation ongoing',
'systems_affected': ['Salesforce (via Gainsight SFDC Connector)',
'HubSpot (preventively disabled)',
'Zendesk (preventively disabled)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (planned '
'dedicated leak site)',
'entry_point': 'Compromised OAuth tokens via '
'Gainsight SFDC Connector',
'high_value_targets': ['Fortune 500 companies '
'(e.g., Verizon, GitLab, F5, '
'SonicWall)']},
'investigation_status': 'Ongoing (Mandiant engaged for forensic analysis)',
'lessons_learned': 'The incident highlights risks in SaaS ecosystems from '
'over-permissioned third-party apps and OAuth token '
'misuse. Organizations should audit app permissions, '
'monitor for anomalous activity, and enforce '
'least-privilege access principles.',
'motivation': ['Data Theft',
'Extortion',
'Financial Gain (planned RaaS offering)'],
'post_incident_analysis': {'root_causes': ['Over-permissioned Gainsight SFDC '
'Connector app',
'Misuse of OAuth tokens (similar '
'to prior Salesloft Drift '
'incident)',
'Inadequate monitoring of '
'third-party app activity']},
'ransomware': {'data_exfiltration': 'Threatened (planned dedicated leak '
'site)'},
'recommendations': ['Conduct third-party risk assessments for integrated SaaS '
'vendors.',
'Implement continuous monitoring for OAuth token usage '
'and app connections.',
'Enforce least-privilege access for third-party '
'applications.',
'Review and revoke unnecessary permissions for SaaS '
'integrations.',
'Prepare incident response plans for supply chain '
'attacks.'],
'references': [{'date_accessed': '2023-11-20',
'source': 'Salesforce Security Advisory'},
{'source': 'DataBreaches.net (Dissent)'},
{'source': 'Black Kite (Ferhat Dikbiyik)'},
{'source': 'Infosecurity Magazine'}],
'response': {'communication_strategy': ['Public security advisory by '
'Salesforce (2023-11-20)',
'Gainsight updates (acknowledged '
'exposure)'],
'containment_measures': ['Revoked access to Gainsight '
'applications on Salesforce AppExchange',
'Disabled Gainsight connections with '
'HubSpot and Zendesk'],
'incident_response_plan_activated': True,
'remediation_measures': ['Forensic investigation by Mandiant'],
'third_party_assistance': ['Mandiant (Google Cloud)']},
'stakeholder_advisories': ['Salesforce security advisory (2023-11-20)',
'Gainsight updates (acknowledged exposure)'],
'threat_actor': ['Scattered Spider',
'ShinyHunters',
"Lapsus$ (collectively referred to as 'Scattered Lapsus$ "
"Hunters')"],
'title': 'Gainsight-Salesforce Unauthorized Data Access Incident',
'type': ['Unauthorized Access', 'Data Breach', 'Third-Party Risk'],
'vulnerability_exploited': 'Over-permissioned Gainsight SFDC Connector app '
'(no Salesforce platform vulnerability identified)'}