Gainsight has revealed that a recent security incident targeting its applications has impacted more customers than initially reported.
The company stated that while Salesforce initially identified 3 affected customers, that number has since grown, with the CEO, Chuck Ganapathi, mentioning that “only a handful of customers” had their data compromised.
This breach was linked to suspicious activity related to Gainsight-published applications on Salesforce, leading to the revocation of access and refresh tokens by the company. The breach has been attributed to the cybercrime group ShinyHunters, also known as Bling Libra.
Several precautions have been taken to manage the situation, including Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com. HubSpot confirmed that its infrastructure and customers were not compromised.
Gainsight has provided a list of products temporarily unable to read and write data from Salesforce, including Customer Success (CS), Community (CC), Northpass – Customer Education (CE), Skilljar (SJ), and Staircase (ST), with the exception of Staircase, which was unaffected and removed as a precautionary measure.
Both Salesforce and Gainsight have shared indicators of compromise (IoCs) related to the breach, with a specific user agent string, “Salesforce-Multi-Org-Fetcher/1.0”, used for unauthorized access, previously associated with the Salesloft Drift activity.
According to Salesforce, reconnaissance activities targeting customers with compromised Gainsight access tokens were traced back to the IP address “3.239.45[.]43” on October 23, 2025, followed by further unauthorized access attempts from November 8 onwards.
To enhance security, customers are advised to take certain measures, such as rotating S3 bucket access keys and connectors like BigQuery, Zuora, Snowflake, logging in to Gainsight NXT directly, resetting user passwords, and re-authorizing connected applications.
These steps are precautionary and aim to safeguard environments during the ongoing investigation period, as emphasized by Gainsight.
Recent developments have highlighted the emergence of a new ransomware-as-a-service (RaaS) platform named ShinySp1d3r, developed by a cybercriminal alliance including Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). This group has been linked to at least 51 cyberattacks in the past year.
ShinySp1d3r introduces innovative features not seen in other RaaS offerings, such as evading Windows Event Viewer logging, terminating processes to enable encryption, and filling free drive space with random data. It can also search for network shares, encrypt them, and spread to other devices on the network.
According to cybersecurity journalist Brian Krebs, the individual behind the ransomware, known as “Rey” or @ReyXBF, is a core member of SLSH and has been cooperating with law enforcement since mid-2025. ShinySp1d3r is an evolved version of HellCat ransomware, enhanced with AI tools.
Palo Alto Networks researcher Matt Brady highlighted the threat posed by SLSH’s RaaS and EaaS offerings, emphasizing the need for organizations to defend against their varied intrusion methods and insider recruitment tactics.
