Gainsight has confirmed that a recent cyber incident targeting its applications has impacted a broader range of its customers than initially reported. The breach, which has been claimed by the notorious cybercrime group ShinyHunters, prompted Salesforce to revoke access to Gainsight-published applications and has led to precautionary suspensions of integrations by several other major tech companies.
As of November 21, 2025, Gainsight stated that the number of affected customers has “expanded to a larger list” beyond the initial three reported by Salesforce. While the exact figure remains undisclosed, CEO Chuck Ganapathi indicated that only a “handful of customers” had their data compromised. This development follows Salesforce’s warning of unusual activity linked to Gainsight applications on its platform, leading to the revocation of all associated access and refresh tokens.
Gainsight Breach Widens, Impacting More Customers
The ongoing investigation into the Gainsight breach has revealed a wider an array of affected customers, underscoring the potential reach of the cyberattack. Initially, Salesforce had identified three impacted customers. However, this number has since grown, with Gainsight acknowledging a more extensive list as of mid-November 2025. While specific customer numbers are not public, company leadership has suggested that the actual data compromise is confined to a minimal number of entities.
Precautionary Measures and Affected Integrations
In response to the detected “unusual activity” on the Salesforce platform related to Gainsight applications, Salesforce took immediate action by revoking all access and associated refresh tokens. This incident has also led to other prominent technology companies enacting precautionary measures. Zendesk, Gong.io, and HubSpot have temporarily suspended their Gainsight integrations. Google, meanwhile, has disabled OAuth clients with specific callback URIs associated with Gainsight. HubSpot, in its own advisory, noted that its investigation found no evidence of any compromise to its own infrastructure or customer data.
Gainsight has also provided a list of its products for which read and write capabilities to Salesforce have been temporarily suspended. These include Customer Success (CS), Community (CC), Northpass – Customer Education (CE), and Skilljar (SJ). The company clarified that while the Staircase (ST) product was also affected by Salesforce’s precautionary removal of the connection, Staircase itself was not directly compromised in the incident.
Both Salesforce and Gainsight have released indicators of compromise (IoCs) associated with the breach. Notably, a specific user agent string, “Salesforce-Multi-Org-Fetcher/1.0,” flagged for unauthorized access, has been previously linked to the Salesloft Drift activity.
According to information released by Salesforce, reconnaissance efforts targeting customers with compromised Gainsight access tokens were first observed on October 23, 2025, originating from the IP address “3.239.45[.]43.” Subsequent waves of reconnaissance and unauthorized access were recorded starting November 8, 2025.
Security Recommendations for Customers
To bolster security and mitigate potential risks, Gainsight has advised its customers to implement several preventative measures. These include rotating access keys for S3 buckets and other connectors like BigQuery, Zuora, and Snowflake that integrate with its platform. Customers are also advised to log into Gainsight NXT directly, bypassing Salesforce integration, until the connection is fully restored. Furthermore, users who do not authenticate via Single Sign-On (SSO) are recommended to reset their NXT passwords, and any connected applications or integrations relying on user credentials or tokens should be re-authorized.
“These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues,” Gainsight stated in its advisory.
New Ransomware-as-a-Service Emerges Amidst Breach Concerns
The Gainsight breach occurs against the backdrop of a new ransomware-as-a-service (RaaS) platform known as ShinySp1d3r. This platform is reportedly being developed by a coalition of cybercriminal groups, including Scattered Spider, LAPSUS$, and ShinyHunters, collectively referred to as SLSH. ZeroFox reports that this alliance has been linked to at least 51 cyberattacks over the past year.
ShinySp1d3r is noted for possessing several novel features within the RaaS landscape. According to ZeroFox, these include the ability to hook the EtwEventWrite function to circumvent Windows Event Viewer logging, terminating processes that prevent file encryption by iterating through active processes, and filling available drive space with random data to potentially overwrite deleted files.
Additionally, ShinySp1d3r is capable of scanning for and encrypting open network shares. It also possesses propagation capabilities to other devices on a local network through methods like deployViaSCM, deployViaWMI, and attemptGPODeployment.
Independent cybersecurity journalist Brian Krebs reported that the individual credited with the release of ShinySp1d3r is a core SLSH member known as “Rey” (@ReyXBF). Rey has been identified as one of the three administrators of the group’s Telegram channel and previously served as an administrator for BreachForums and the data leak site for the HellCat ransomware.
Rey, whose identity has been revealed as Saif Al-Din Khader, informed Krebs that ShinySp1d3r is an enhanced version of HellCat, modified with artificial intelligence (AI) tools. Khader reportedly stated that he has been cooperating with law enforcement since at least June 2025.
“The emergence of a RaaS program, in conjunction with an EaaS [extortion-as-a-service] offering, makes SLSH a formidable adversary in terms of the wide net they can cast against organizations using multiple methods to monetize their intrusion operations,” commented Matt Brady, a researcher at Palo Alto Networks Unit 42. “Additionally, the insider recruitment element adds yet another layer for organizations to defend against.”
The ongoing investigation and the evolving threat landscape, including the emergence of sophisticated RaaS platforms, highlight the persistent challenges organizations face in safeguarding their cloud environments and sensitive data. Customers are expected to diligently follow security recommendations and remain vigilant for further updates as the situation progresses.