Gainsight disclosed that suspicious activity involving its applications has affected more customers than an initial list provided by Salesforce, and that the list of impacted customers “expanded to a larger list” as of November 21, 2025. The company said its CEO Chuck Ganapathi has stated the firm “presently know[s] of only a handful of customers who had their data affected,” but it has not provided an exact number; a company blog post with additional context is available here.
Salesforce warned it detected “unusual activity” tied to Gainsight-published applications and revoked all access and refresh tokens for those apps. The intrusion has been claimed by the group known as ShinyHunters. Several vendors took precautionary actions: Zendesk, Gong.io and HubSpot temporarily suspended their Gainsight integrations, and Google disabled OAuth clients with callback URIs resembling gainsightcloud[.]com. HubSpot said it found no evidence its own infrastructure or customers were compromised.
Both Salesforce and Gainsight published indicators of compromise, and investigators flagged the user agent string “Salesforce-Multi-Org-Fetcher/1.0” as being used in unauthorized access and previously in related activity. Salesforce’s published information shows reconnaissance against customers with compromised Gainsight access tokens began from IP 3.239.45[.]43 on Oct. 23, 2025, with additional waves of reconnaissance and access starting Nov. 8.
Gainsight listed five products for which the ability to read and write from Salesforce was temporarily unavailable: Customer Success (CS), Community (CC), Northpass – Customer Education (CE), Skilljar (SJ) and Staircase (ST), while emphasising that Staircase was not affected and that Salesforce removed its connection as a precaution. The company recommended customers rotate S3 and other connector keys, log into Gainsight NXT directly until integrations are restored, reset non-SSO NXT passwords where appropriate, and re-authorize connected applications to reduce risk.
The incident comes as security firms report the emergence of a new ransomware-as-a-service platform called ShinySp1d3r, developed by actors including Scattered Spider, LAPSUS$ and ShinyHunters; third-party telemetry cited at least 51 attacks tied to the alliance. Unit 42 at Palo Alto Networks said the encryptor includes previously unseen features, and the malware can search for open network shares and propagate across local networks.
Independent reporting named an individual known as “Rey” as responsible for releasing the ransomware and unmasked him as Saif Al-Din Khader; that reporting also notes the individual has been cooperating with law enforcement since at least June 2025. Brian Krebs said more details are available, and a preserved social post is archived @ReyXBF.