Gainsight has confirmed that a recent security incident affecting its applications has impacted more customers than initially reported. The breach, initially flagged by Salesforce for "unusual activity," has led to the revocation of access and refresh tokens for Gainsight-published applications connected to the Salesforce platform. The cybercrime group ShinyHunters has claimed responsibility for the attack.

Key Takeaways

• More Salesforce customers are affected by the Gainsight breach than initially stated.

• The attack window is believed to have started around November 8, 2025.

• ShinyHunters has claimed responsibility for the incident.

• Several Gainsight products and third-party integrations have been temporarily disabled as a precaution.

Expanded Customer Impact

Salesforce initially identified three customers impacted by the breach. However, as of November 21, 2025, Gainsight confirmed that this list has "expanded to a larger list." While the exact number of affected customers remains undisclosed, Gainsight's CEO, Chuck Ganapathi, stated that only a "handful of customers" had their data affected. Salesforce has directly notified all newly identified impacted customers.

Attack Details and Timeline

Reconnaissance efforts against customers with compromised Gainsight access tokens were first recorded on October 23, 2025, with subsequent waves of unauthorized access beginning on November 8. Salesforce has provided indicators of compromise (IoCs), including specific user agent strings like "Salesforce-Multi-Org-Fetcher/1.0," which has been previously used in other attacks, and a list of IP addresses associated with the suspicious activity. The attack leveraged commercial VPN services and the Tor network.

Precautionary Measures and Affected Services

In response to the incident, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed them from its AppExchange. Gainsight has temporarily suspended the ability for several of its products to read and write data from Salesforce. These include:

• Customer Success (CS)

• Community (CC)

• Northpass - Customer Education (CE)

• Skilljar (SJ)

While Staircase (ST) was also listed, Gainsight emphasized it was not affected by the breach and its connection was removed by Salesforce as a precautionary measure. Additionally, third-party integrations like Zendesk, Gong.io, and HubSpot have temporarily disabled their Gainsight connectors.

Customer Guidance and Investigation

Gainsight and Salesforce are conducting an ongoing investigation, with Gainsight engaging Mandiant for independent forensic analysis. Customers are advised to take several preventative steps, including rotating S3 bucket access keys, logging into Gainsight NXT directly instead of through Salesforce, resetting NXT user passwords for non-SSO users, and re-authorizing connected applications or integrations. Both companies have published IoCs to aid customers in their own investigations.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Gainsight Expands Impacted Customer List Following Salesforce Security Alert, The Hacker News.

• Gainsight Cyber-Attack Affects More Salesforce Customers, Infosecurity Magazine.

• Gainsight breach: Salesforce details attack window, issues investigation guidance, Help Net Security.

• Salesforce Updates On Gainsight Security Incident, The Cyber Express.