Gainsight has revealed that recent suspicious activity targeting its applications is impacting more customers than previously thought.
The company said Salesforce initially provided a list of three affected customers, but as of November 21, 2025, it had “expanded to a larger list.” The company did not reveal the exact number of customers affected, but CEO Chuck Ganapati said, “At this time, we are only aware of a few customers whose data has been affected.”
The development comes after Salesforce warned that it had detected “anomalous activity” related to Gainsight published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach is claimed by a notorious cybercrime group known as ShinyHunters (also known as Bling Libra).
Many other precautionary measures have been taken to contain this incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients that use callback URIs, such as Gainsightcloud.[.]Com. In its own advisory, HubSpot said it found no evidence to suggest a compromise of its infrastructure or customers.
In its FAQ, Gainsight also listed products for which the ability to read and write from Salesforce is temporarily unavailable.
Customer Success (CS) Community (CC) Northpath – Customer Education (CE) Skillger (SJ) Stairs (ST)
However, the company emphasized that Staircase is not affected by this incident and that Salesforce has prudently removed the Staircase connection in response to the ongoing investigation.
Both Salesforce and Gainsight have published indicators of compromise (IoCs) related to this breach, including one user agent string used for unauthorized access, “Salesforce-Multi-Org-Fetcher/1.0,” which was also flagged as previously used in Salesloft Drift activity.
According to information from Salesforce, reconnaissance activity against customers with compromised Gainsight access tokens was first recorded from IP address 3.239.45.[.]43” occurred on October 23, 2025, and reconnaissance and unauthorized access began on November 8.
To make the environment even safer, customers are asked to follow the steps below.
Rotate the S3 bucket access keys used to connect with Gainsight and other connectors such as BigQuery, Zuora, and Snowflake. Log in directly to Gainsight NXT instead of through Salesforce until the integration is fully restored. Reset NXT user passwords for users who do not authenticate via SSO. Reauthenticate any connected applications or integrations that rely on user credentials or tokens.
“These measures are precautionary in nature and are designed to keep the environment safe while the investigation continues,” Gainsight said.
The development comes on the back of a new ransomware-as-a-service (RaaS) platform called ShinySp1d3r (also spelled Sh1nySp1d3r), which is being developed by Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). Data from ZeroFox revealed that the Cybercrime Alliance was involved in at least 51 cyberattacks over the past year.
“While the ShinySp1d3r encryptor has some features in common with other encryptors, it also has features never seen before in the RaaS space,” the company said.
“These include hooking the EtwEventWrite function to prevent Windows Event Viewer logging, terminating processes that leave files open (which typically prevents encryption) by iterating through the process before killing it, [and] Filling free space on the drive by writing random data contained in .tmp files can overwrite deleted files. ”
ShinySp1d3r has the ability to search and encrypt open network shares, as well as propagate to other devices on the local network through deployViaSCM, deployViaWMI, and TryGPODeployment.
In a report published Wednesday, independent cybersecurity journalist Brian Krebs said the ransomware was published by a core member of SLSH named “Rey” (also known as @ReyXBF) and one of the three administrators of the group’s Telegram channel. Rey previously managed the BreachForums and HellCat ransomware data breach websites.
Ray, whose identity was revealed as Saif al-Din Kader, told Krebs that ShinySp1d3r was a rehash of HellCat modified with artificial intelligence (AI) tools and that he had been cooperating with law enforcement since at least June 2025.
“Emergence of RaaS programs linked to EaaS” [extortion-as-a-service] “SLSH is a formidable adversary in that it casts a wide net against organizations that use multiple methods to monetize intrusion operations,” said Palo Alto Networks Unit 42 researcher Matt Brady. “Additionally, the element of insider recruitment adds an additional layer of defense for organizations.”
Source link
