Cybersecurity

Gainsight Expands Impacted Customer List Following Salesforce...

2025-11-27 6 views admin
Gainsight Expands Impacted Customer List Following Salesforce...

Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought.

The company said Salesforce initially provided a list of 3 impacted customers and that it has "expanded to a larger list" as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said "we presently know of only a handful of customers who had their data affected."

The development comes as Salesforce warned of detected "unusual activity" related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach has been claimed by a notorious cybercrime group known as ShinyHunters (aka Bling Libra).

A number of other precautionary steps have been enacted to contain the incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com. HubSpot, in its own advisory, said it found no evidence to suggest any compromise of its own infrastructure or customers.

In an FAQ, Gainsight has also listed the products for which the ability to read and write from Salesforce has been temporarily unavailable -

The company, however, emphasized that Staircase is not affected by the incident and that Salesforce removed the Staircase connection out of caution in response to an ongoing investigation.

Both Salesforce and Gainsight have published indicators of compromise (IoCs) associated with the breach, with one user agent string, "Salesforce-Multi-Org-Fetcher/1.0", used for unauthorized access, also flagged as previously employed in the Salesloft Drift activity.

According to information from Salesforce, reconnaissance efforts against customers with compromised Gainsight access tokens were first recorded from the IP address "3.239.45[.]43" on October 23, 2025, followed by subsequent waves of reconnaissance and unauthorized access starting November 8.

To further secure their environments, customers are asked to follow the steps below -

"These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues," Gainsight said.

Source: The Hacker News

🏷️ Tags

breach

More from Cybersecurity

New Microsoft Is Retiring 'send To Kindle' In Word 2026

New Microsoft Is Retiring 'send To Kindle' In Word 2026

2026-01-11 0
Complete Guide to Breachforums Hacking Forum Database Leaked, Exposing 324,000 Accounts

Complete Guide to Breachforums Hacking Forum Database Leaked, Exposing 324,000 Accounts

2026-01-10 0
Update: Spain Arrests 34 Suspects Linked To Black Axe Cyber Crime 2026

Update: Spain Arrests 34 Suspects Linked To Black Axe Cyber Crime 2026

2026-01-10 0
Latest: Ireland Recalls Almost 13,000 Passports Over Missing 'irl' Code

Latest: Ireland Recalls Almost 13,000 Passports Over Missing 'irl' Code

2026-01-10 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views