Gainsight
Company Details
Linkedin ID:
gainsight
Website:
Employees number:
1,100
Number of followers:
157,947
NAICS:
5112
Industry Type:
Homepage:
gainsight.com
IP Addresses:
0
Company ID:
GAI_2637636
Scan Status:
In-progress
Gainsight Company CyberSecurity Posture
gainsight.com
At Gainsight, our mission is to be living proof you can win in business while being human first. Gainsight, the world’s leading Customer Success platform, helps businesses drive efficient growth by unifying the post-sales customer journey. Our innovative suite of solutions—including customer success, customer education, product experience, community management, and conversational AI insights—are trusted by companies of all sizes and industries, including nearly 200 publicly traded organizations. With Gainsight, businesses can leverage AI-driven insights from real-time customer interactions to enhance engagement, improve retention, and drive expansion. Our platform makes it easier for customer success, product, and community teams to scale efficiently and gain a holistic view of their customers, driving product adoption and building thriving customer communities. Gainsight joined the Vista Equity Partners portfolio in 2020. In 2021, we won their Excellence in Engineering award in recognition for our product and engineering advancements. A remote-friendly company, we have offices in the US, UK, Netherlands, Israel, and India. Gainsight received the top spot in Glassdoor's Best Places to Work for 2023. It has also been named as one of the top 100 private cloud companies in the world by Forbes, one of the fastest-growing private companies in America by Inc. Magazine, and one of 20 Great Workplaces in Tech by Fortune Magazine.
Gainsight A.I CyberSecurity Scoring
Gainsight Risk Score (AI oriented)Between 0 and 549
Gainsight
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Gainsight Global Score (TPRM)XXXX
Gainsight
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Gainsight Company CyberSecurity News & History
Past Incidents
6
Attack Types
2
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer success platform provider, suffered a security breach where unauthorized actors (linked to the **Shiny Hunters** extortion group) exploited its Salesforce-connected applications. The attack began with reconnaissance on **November 8, 2025**, followed by intrusions between **November 16–23** via VPNs, Tor, and AWS-linked IPs. Attackers used malicious **User-Agent strings** (e.g., *Salesforce-Multi-Org-Fetcher/1.0*) to bypass authentication, mirroring tactics from the prior **Salesloft Drift attack**. While Gainsight initially reported **only 3 affected customers**, the number later expanded, with CEO Chuck Ganapathi acknowledging a 'handful' of victims with confirmed data theft. Shiny Hunters claimed **three months of undetected access**, though no public data leaks were verified by **Unit 42/Palo Alto Networks** as of the report. Salesforce revoked Gainsight’s OAuth tokens, disabled its app integrations, and urged customers to audit logs, rotate S3 keys, reset passwords, and reauthorize integrations. The breach’s scope—including potential **customer data exposure**—remains under investigation by **Salesforce, Gainsight, and Mandiant**, with Shiny Hunters hinting at broader 2025 victim counts (1.5K+).
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident was reported by the Google Threat Intelligence Group, potentially affecting over 200 Salesforce instances. CEO Chuck Ganapathi confirmed that only a limited number of Gainsight clients had their data compromised. The company advised customers to review Salesforce logs for authentication attempts and API calls originating from the Gainsight Connected App to identify anomalous access patterns. Gainsight also recommended implementing IP restrictions for API calls as a mitigation measure. The breach remains under investigation, with Gainsight’s own logs deemed insufficient for assessing organizational risk. Clients were urged to rely on Salesforce-side logs for determining exposure.
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual activity. The breach was attributed to the extortion group **ShinyHunters**, with conflicting reports on its scale: Gainsight claimed only a 'handful of customers' were affected, while Google’s Threat Intelligence Group (GTIG) identified over **200 potentially compromised Salesforce instances**. Salesforce revoked all access tokens tied to Gainsight’s apps, and integrations with other platforms (HubSpot, Zendesk) were also disabled as a precaution. Forensic investigations, assisted by **Mandiant**, remain ongoing, with Gainsight’s Salesforce integration still offline. The breach exposed customer data, though the exact scope (e.g., types of data leaked or financial/reputational harm) remains undisclosed. Gainsight acknowledged login issues for some GSuite SSO users and is providing support to affected clients, but details on the breach’s broader impact—such as fraud, operational disruptions, or regulatory consequences—are unclear.
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The incident at **Gainsight** stemmed from a downstream effect of the **August 2025 Salesloft breach**, where the **Scattered Lapsus$ Hunters** group stole **OAuth tokens** tied to Salesloft’s Drift AI chat integration with Salesforce. These tokens granted unauthorized API access to **760 Salesforce instances**, leading to the exfiltration of **1.5 billion records**, including passwords, AWS keys, and Snowflake tokens.A subgroup, **ShinyHunters**, exploited the stolen credentials to breach **Gainsight’s systems**, extracting **customer contact data** (names, business emails, phone numbers, regional details), **licensing information**, and **support case contents**. Salesforce responded by **revoking all active Gainsight-associated tokens** and **temporarily removing its apps from the AppExchange** to mitigate further exposure. While Salesforce clarified that its platform itself was not vulnerable, the breach originated from **Gainsight’s external app connections**, compromising sensitive corporate and customer data across hundreds of organizations.
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The **Salesforce data breach** involved the **ShinyHunters (UNC6240) hacking group**, which exploited stolen **OAuth tokens** from **Salesloft’s GitHub account** to infiltrate **Drift’s Salesforce integration** and subsequently compromise **Gainsight**, a customer process management platform. The attackers gained unauthorized access to **over 200 Salesforce instances**, exfiltrating enterprise customer data through third-party service integrations (including **HubSpot and Zendesk**). While Salesforce revoked access keys and removed affected apps from the **AppExchange**, the breach exposed sensitive customer data, though the full scope of the leak remains undisclosed. The attack leveraged **supply-chain vulnerabilities** rather than a direct Salesforce platform flaw. ShinyHunters claimed delayed detection (1–2 weeks post-intrusion) and sought internal accomplices for further exploitation. Salesforce refused ransom demands, but the incident highlights risks in **third-party integrations** and **credential-based attacks**.
Gainsight
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer support platform provider, experienced a cyber incident where malicious actors (linked to the **Scattered Spider-ShinyHunters-Lapsus$ collective**) exploited its **SFDC Connector app** to gain unauthorized access to **Salesforce customer data**. Salesforce revoked Gainsight’s app access and removed it from the AppExchange after detecting unusual activity. The attackers, who previously targeted **Salesloft Drift** using stolen OAuth tokens, confirmed plans to leak data from **nearly 1,000 companies**, including **Fortune 500 firms** (e.g., Verizon, GitLab, F5, SonicWall) via a dedicated leak site. The breach involved **CRM-layer data**, primarily **business contact information and Salesforce case texts**, accessed through over-permissioned third-party integrations. Gainsight also preemptively disabled connections to **HubSpot and Zendesk**. The threat actors hinted at launching a **ransomware-as-a-service (RaaS) platform**, escalating risks of further extortion. While no direct financial or operational disruption was confirmed, the exposure of **sensitive corporate and customer relationship data** poses severe reputational, compliance, and downstream fraud risks for affected enterprises.
Gainsight Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Gainsight
Incidents vs Software Development Industry Average (This Year)
Gainsight has 1263.64% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Gainsight has 837.5% more incidents than the average of all companies with at least one recorded incident.
Incident Types Gainsight vs Software Development Industry Avg (This Year)
Gainsight reported 6 incidents this year: 1 cyber attacks, 0 ransomware, 0 vulnerabilities, 5 data breaches, compared to industry peers with at least 1 incident.
Incident History — Gainsight (X = Date, Y = Severity)
Gainsight cyber incidents detection timeline including parent company and subsidiaries
Gainsight Company Subsidiaries
At Gainsight, our mission is to be living proof you can win in business while being human first. Gainsight, the world’s leading Customer Success platform, helps businesses drive efficient growth by unifying the post-sales customer journey. Our innovative suite of solutions—including customer success, customer education, product experience, community management, and conversational AI insights—are trusted by companies of all sizes and industries, including nearly 200 publicly traded organizations. With Gainsight, businesses can leverage AI-driven insights from real-time customer interactions to enhance engagement, improve retention, and drive expansion. Our platform makes it easier for customer success, product, and community teams to scale efficiently and gain a holistic view of their customers, driving product adoption and building thriving customer communities. Gainsight joined the Vista Equity Partners portfolio in 2020. In 2021, we won their Excellence in Engineering award in recognition for our product and engineering advancements. A remote-friendly company, we have offices in the US, UK, Netherlands, Israel, and India. Gainsight received the top spot in Glassdoor's Best Places to Work for 2023. It has also been named as one of the top 100 private cloud companies in the world by Forbes, one of the fastest-growing private companies in America by Inc. Magazine, and one of 20 Great Workplaces in Tech by Fortune Magazine.
Loading...
Gainsight Similar Companies
Adobe
Adobe is the global leader in digital media and digital marketing solutions. Our creative, marketing and document solutions empower everyone – from emerging artists to global brands – to bring digital creations to life and deliver immersive, compelling experiences to the right person at the right mo
Cadence
Cadence is a market leader in AI and digital twins, pioneering the application of computational software to accelerate innovation in the engineering design of silicon to systems. Our design solutions, based on Cadence’s Intelligent System Design™ strategy, are essential for the world’s leading semic
NetSuite
Founded in 1998, Oracle NetSuite is the world’s first cloud company. For more than 25 years, NetSuite has helped businesses gain the insight, control, and agility to build and grow a successful business. First focused on financials and ERP, we now provide an AI-powered unified business system that
Meta
Meta's mission is to build the future of human connection and the technology that makes it possible. Our technologies help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further e
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and
Booking.com
A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno
Amazon Fulfillment Technologies & Robotics
On the Fulfillment Technologies & Robotics Team, we build dynamic partnerships between people and intelligent machines. This intricate collaboration helps Amazon fulfill orders with unmatched accuracy. Since we began working with robotics, we've added over a million new jobs worldwide. Working in s
Shopify is a leading global commerce company, providing trusted tools to start, grow, market, and manage a retail business of any size. Shopify makes commerce better for everyone with a platform and services that are engineered for reliability, while delivering a better shopping experience for consu
Juniper Networks is leading the revolution in networking, making it one of the most exciting technology companies in Silicon Valley today. Since being founded by Pradeep Sindhu, Dennis Ferguson, and Bjorn Liencres nearly 20 years ago, Juniper’s sole mission has been to create innovative products and
.png)
Gainsight CyberSecurity News
November 21, 2025 12:44 PM
OAuth token compromise hits Salesforce ecosystem again, Gainsight impacted
Attackers leveraged stolen secrets to hijack integrations and access customer data, highlighting the need for enterprises to audit connected...
November 21, 2025 12:09 PM
Salesforce Gainsight compromise: Early findings and customer guidance
Following Salesforce's revocation of tokens associated with Gainsight-published applications, Gainsight has been keeping customers updated.
November 21, 2025 10:05 AM
Salesforce Confirms Customers’ Data Was Accessed Following the Gainsight Breach
The company's investigation revealed that this suspicious activity resulted in unauthorized access to specific customer data stored in...
November 21, 2025 10:04 AM
Critical ASUSTOR Vulnerability Let Attackers Execute Malicious Code with Elevated Privileges
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers to execute...
November 21, 2025 09:58 AM
Salesforce Data Theft Linked to Gainsight App Exploit
A Salesforce data theft incident has been linked to a Gainsight OAuth token attack by ShinyHunters, highlighting critical SaaS security...
November 21, 2025 09:39 AM
Salesforce Suspends Gainsight-Linked Apps Amid Investigation into “Unusual Activity” and Potential Data Exposure
Salesforce has launched an investigation into what it described as “unusual activity” tied to applications published by Gainsight, which.
November 21, 2025 08:07 AM
Salesforce Cuts Off Gainsight App Access After Detecting Data Exposure Risk—Mandiant Launches Investigation
Salesforce suspended several Gainsight apps after detecting suspicious activity that may have exposed customer data.
November 21, 2025 07:03 AM
Potential Data Exposure Pushes Salesforce To Disable Selected App Integrations
In a notice published on its status portal, Salesforce said the Gainsight-published apps, which are installed and managed directly by...
November 21, 2025 06:35 AM
SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely
SonicWall disclosed a flaw in its SonicOS SSLVPN service that overflows memory, allow attackers to crash the firewall without any login.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Gainsight CyberSecurity History Information
Official Website of Gainsight
The official website of Gainsight is https://www.gainsight.com.
Gainsight’s AI-Generated Cybersecurity Score
According to Rankiteo, Gainsight’s AI-generated cybersecurity score is 349, reflecting their Critical security posture.
How many security badges does Gainsight’ have ?
According to Rankiteo, Gainsight currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Gainsight have SOC 2 Type 1 certification ?
According to Rankiteo, Gainsight is not certified under SOC 2 Type 1.
Does Gainsight have SOC 2 Type 2 certification ?
According to Rankiteo, Gainsight does not hold a SOC 2 Type 2 certification.
Does Gainsight comply with GDPR ?
According to Rankiteo, Gainsight is not listed as GDPR compliant.
Does Gainsight have PCI DSS certification ?
According to Rankiteo, Gainsight does not currently maintain PCI DSS compliance.
Does Gainsight comply with HIPAA ?
According to Rankiteo, Gainsight is not compliant with HIPAA regulations.
Does Gainsight have ISO 27001 certification ?
According to Rankiteo,Gainsight is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Gainsight
Gainsight operates primarily in the Software Development industry.
Number of Employees at Gainsight
Gainsight employs approximately 1,100 people worldwide.
Subsidiaries Owned by Gainsight
Gainsight presently has no subsidiaries across any sectors.
Gainsight’s LinkedIn Followers
Gainsight’s official LinkedIn profile has approximately 157,947 followers.
NAICS Classification of Gainsight
Gainsight is classified under the NAICS code 5112, which corresponds to Software Publishers.
Gainsight’s Presence on Crunchbase
No, Gainsight does not have a profile on Crunchbase.
Gainsight’s Presence on LinkedIn
Yes, Gainsight maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/gainsight.
Cybersecurity Incidents Involving Gainsight
As of November 27, 2025, Rankiteo reports that Gainsight has experienced 6 cybersecurity incidents.
Number of Peer and Competitor Companies
Gainsight has an estimated 26,565 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Gainsight ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.
How does Gainsight detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with mandiant (google cloud), and containment measures with revoked access to gainsight applications on salesforce appexchange, containment measures with disabled gainsight connections with hubspot and zendesk, and remediation measures with forensic investigation by mandiant, and communication strategy with public security advisory by salesforce (2023-11-20), communication strategy with gainsight updates (acknowledged exposure), and and containment measures with token revocation (oauth/refresh tokens), containment measures with appexchange removal, and remediation measures with customer notifications, remediation measures with investigation, and communication strategy with direct customer notifications, communication strategy with public statement, and and third party assistance with google mandiant (threat intelligence), and containment measures with revoked oauth tokens, containment measures with removed gainsight apps from appexchange, containment measures with limited hubspot/zendesk connector functionality, and remediation measures with internal reviews by affected companies, remediation measures with token rotation, and communication strategy with public disclosure via media (redazione rhc), communication strategy with no direct comment from salesforce on specifics, and enhanced monitoring with google threat intelligence group analysis, and and third party assistance with mandiant, third party assistance with palo alto networks (unit 42), and containment measures with revoked gainsight oauth tokens, containment measures with disabled gainsight-salesforce connection, containment measures with published iocs for customer review, and remediation measures with rotated s3 bucket access keys, remediation measures with password resets for non-sso users, remediation measures with reauthorization of connected apps, and recovery measures with environment hardening by gainsight, recovery measures with restoration of salesforce connected app (pending), and communication strategy with public advisories from salesforce & gainsight, communication strategy with customer guidance for log review, communication strategy with ongoing updates on investigation, and enhanced monitoring with recommended (review salesforce logs for unexpected activity), and and third party assistance with google threat intelligence group (reported potential impact), and containment measures with ip restrictions for api calls, and remediation measures with review of salesforce logs for authentication attempts and api calls from gainsight connected app, and communication strategy with advisories issued to clients to investigate logs and implement mitigations, and and third party assistance with google mandiant (forensic investigation), and containment measures with revoked all access/refresh tokens (salesforce), containment measures with disabled salesforce integration, containment measures with revoked hubspot/zendesk connectors, containment measures with investigating gsuite sso login issues, and remediation measures with forensic analysis ongoing, remediation measures with customer support teams established, remediation measures with town halls hosted for affected customers, and communication strategy with blog post by ceo chuck ganapathi, communication strategy with community page updates (planned), communication strategy with direct outreach to affected customers..
Incident Details
Can you provide details on each incident ?
Title: Gainsight-Salesforce Unauthorized Data Access Incident
Description: Salesforce revoked access to Gainsight applications due to unusual activity, potentially enabling unauthorized access to customer data via Gainsight SFDC Connector. The incident is linked to the Scattered Lapsus$ Hunters group, who claimed responsibility and threatened to leak data from ~1000 companies, including Fortune 500 firms like Verizon, GitLab, F5, and SonicWall. Gainsight disabled connections with HubSpot and Zendesk as a precaution and engaged Mandiant for forensic investigation. The attack leveraged OAuth tokens and over-permissioned apps, mirroring a prior Salesloft Drift hack.
Date Detected: 2023-11-20
Date Publicly Disclosed: 2023-11-20
Type: Unauthorized Access
Attack Vector: Compromised OAuth TokensOver-Permissioned SaaS ApplicationsSupply Chain Attack
Vulnerability Exploited: Over-permissioned Gainsight SFDC Connector app (no Salesforce platform vulnerability identified)
Threat Actor: Scattered SpiderShinyHuntersLapsus$ (collectively referred to as 'Scattered Lapsus$ Hunters')
Motivation: Data TheftExtortionFinancial Gain (planned RaaS offering)
Title: Gainsight Unauthorized Salesforce Data Access via Stolen OAuth Tokens
Description: Gainsight applications enabled unauthorized access to Salesforce customer data due to stolen OAuth tokens linked to the August 2025 Salesloft breach. The threat actor group ShinyHunters exploited these tokens to exfiltrate Gainsight customer contact and licensing data. Salesforce revoked all active and refresh tokens associated with Gainsight-published apps and temporarily removed them from the AppExchange. The incident is a downstream effect of the Salesloft Drift breach, where 1.5 billion records (including passwords, AWS keys, and Snowflake tokens) were exfiltrated from 760 Salesforce instances by the Scattered Lapsus$ Hunters group.
Type: Data Breach
Attack Vector: Stolen OAuth TokensAPI AbuseSupply Chain Attack
Vulnerability Exploited: Weak or Stolen OAuth Token Management (External App Connection to Salesforce)
Threat Actor: ShinyHuntersScattered Lapsus$ Hunters
Motivation: Data TheftFinancial Gain (Potential Dark Web Sale)Reputation Damage
Title: Salesforce Data Breach: ShinyHunters Hack via Gainsight Integration
Description: The ShinyHunters group announced its involvement in a data breach affecting the Salesforce ecosystem, particularly through the compromise of Gainsight and Salesloft integrations. Attackers leveraged stolen OAuth tokens from Salesloft’s GitHub account to access enterprise customer data across multiple CRM-related services, including Gainsight, HubSpot, and Zendesk. Over 200 Salesforce instances were reportedly affected. Salesforce revoked access keys and removed Gainsight apps from the AppExchange as a response. The breach is linked to the UNC6240 (ShinyHunters) threat group, which claims to have evaded detection for weeks and is seeking internal accomplices.
Date Detected: 2025-11-24
Date Publicly Disclosed: 2025-11-24
Type: Data Breach
Attack Vector: Stolen OAuth TokensThird-Party Integration Exploitation (Drift, Gainsight)GitHub Account Compromise
Vulnerability Exploited: Weak OAuth Token SecurityThird-Party Application Misconfiguration
Threat Actor: ShinyHuntersUNC6240
Motivation: Data TheftExtortionFinancial GainEspionage
Title: Compromise of Gainsight-Published Applications Affecting Salesforce Customers
Description: The number of Salesforce customers affected by the recent compromise of Gainsight-published applications is yet to be publicly confirmed. Salesforce released indicators of compromise (IoCs) and revealed that the attack likely started on November 8, 2025, with reconnaissance and unauthorized access activity. Suspicious intrusions occurred between November 16 and 23, 2025, from IP addresses linked to commercial VPN services, the Tor network, and AWS. Malicious user agent strings, including 'Salesforce-Multi-Org-Fetcher/1.0,' were used for unauthorized access. Salesforce revoked Gainsight’s OAuth tokens but assured customers that audit trails and logs remain intact. The investigation is ongoing, involving Salesforce, Gainsight, and Mandiant. Gainsight confirmed a 'handful' of customers had data affected and advised security measures like rotating S3 bucket keys and resetting passwords. The breach was claimed by the Shiny Hunters cyber extortion collective, who alleged access to Gainsight for nearly 3 months.
Date Detected: 2025-11-08
Date Publicly Disclosed: 2025-11-21
Type: Unauthorized Access
Attack Vector: Compromised OAuth TokensMalicious User Agent StringsVPN/Tor/AWS IP Spoofing
Vulnerability Exploited: Weak OAuth Token ManagementInsufficient User Agent ValidationLack of IP Restrictions for Connected Apps
Threat Actor: Shiny Hunters
Motivation: Data TheftExtortionFinancial Gain
Title: Gainsight Data Breach Affecting Salesforce Customer Tokens
Description: A limited number of Gainsight clients had their data compromised following a breach of the customer management software firm's systems, impacting Salesforce customer tokens. The breach was reported by the Google Threat Intelligence Group to potentially have affected over 200 Salesforce instances. Gainsight customers have been advised to review Salesforce logs for anomalous access patterns, particularly authentication attempts and API calls originating from the Gainsight Connected App. IP restrictions for API calls have also been recommended as a mitigation measure.
Type: Data Breach / Unauthorized Access
Title: Gainsight Data Breach via Salesforce Connected App
Description: Gainsight experienced a data breach after Salesforce flagged unusual activity involving its connected app. The breach was linked to the ShinyHunters extortion group, with discrepancies in the reported number of affected customers (Gainsight claims 'a handful,' while Google Threat Intelligence Group reports over 200 potentially affected Salesforce instances). Salesforce revoked all access and refresh tokens associated with Gainsight-published applications, and Gainsight disabled its Salesforce integration pending forensic investigation. The incident also impacted Gainsight's GSuite SSO logins for a subset of customers. Third-party integrations with HubSpot and Zendesk were also revoked as a precaution.
Date Detected: 2023-11-19
Date Publicly Disclosed: 2023-11-21
Type: Data Breach
Attack Vector: Compromised Connected AppToken TheftThird-Party Integration Exploitation
Threat Actor: ShinyHunters
Motivation: Data TheftExtortionFinancial Gain
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Compromised OAuth tokens via Gainsight SFDC Connector, Stolen OAuth Tokens (Salesloft Drift Integration), Compromised Salesloft GitHub AccountStolen OAuth Tokens for Drift Integration, Compromised Gainsight Connected AppMalicious User Agent ('Salesforce-Multi-Org-Fetcher/1.0') and Gainsight Connected App on Salesforce.
Impact of the Incidents
What was the impact of each incident ?
Incident : Unauthorized Access GAI1832518112125
Data Compromised: Crm-layer data (business contact info), Salesforce case text
Systems Affected: Salesforce (via Gainsight SFDC Connector)HubSpot (preventively disabled)Zendesk (preventively disabled)
Downtime: Temporary disruption due to revoked access to Gainsight applications
Operational Impact: Connection failures for Gainsight-Salesforce integrations; forensic investigation ongoing
Brand Reputation Impact: High (Fortune 500 companies affected; public threat of data leak)
Identity Theft Risk: Low (primarily business contact info exposed)
Incident : Data Breach GAI0292402112125
Systems Affected: Salesforce Instances (760 in Salesloft breach)Gainsight-published Applications
Operational Impact: Token RevocationAppExchange RemovalCustomer Notifications
Brand Reputation Impact: Loss of TrustNegative Publicity
Identity Theft Risk: ['Business Contact Details Exposed']
Incident : Data Breach GAI1122911112425
Systems Affected: Salesforce Instances (200+)GainsightSalesloftDriftHubSpotZendesk
Downtime: ['Temporary Disruption of Gainsight Apps on Salesforce AppExchange', 'Limited Functionality of HubSpot/Zendesk Connectors']
Operational Impact: Revocation of Access KeysRemoval of Gainsight Apps from AppExchangeInternal Reviews by Affected Companies
Brand Reputation Impact: Potential Erosion of Trust in Salesforce EcosystemNegative Publicity for Gainsight, HubSpot, Zendesk
Identity Theft Risk: ['High (Enterprise Customer Data Exposed)']
Incident : Unauthorized Access GAI0892408112625
Systems Affected: Gainsight-Published ApplicationsSalesforce Connected AppS3 Buckets
Downtime: Temporary (Gainsight-Salesforce connection disabled)
Operational Impact: Disrupted Gainsight-Salesforce IntegrationManual Login Required for Gainsight NXTReauthorization of Connected Apps
Brand Reputation Impact: Moderate (Public Disclosure of Breach, Ongoing Investigation)
Identity Theft Risk: Potential (if PII was accessed)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Systems Affected: Salesforce instances (potentially over 200)Gainsight Connected App
Operational Impact: Ongoing investigation; customers advised to review logs and implement IP restrictions for API calls
Brand Reputation Impact: Potential reputational harm due to breach affecting customer tokens and requiring client-side mitigation
Incident : Data Breach GAI0502205112725
Systems Affected: Salesforce Connected AppGSuite SSO (subset of customers)HubSpot IntegrationZendesk Integration
Downtime: True
Operational Impact: Disabled Salesforce IntegrationRevoked CRM/Tool Connectors (HubSpot, Zendesk)Login Issues for GSuite SSO UsersCustomer Success Operations Disrupted
Brand Reputation Impact: Contradictory Public StatementsLoss of Trust in Security PracticesNegative Media Coverage
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Information, Salesforce Case Text, , Business Contact Details (Names, Emails, Phone Numbers), Licensing Information, Support Case Contents, Regional/Location Details, Passwords (Salesloft Breach), Aws Keys (Salesloft Breach), Snowflake Tokens (Salesloft Breach), , Enterprise Customer Data, Crm Records, Integration Logs, , Salesforce Customer Tokens and .
Which entities were affected by each incident ?
Incident : Unauthorized Access GAI1832518112125
Entity Name: Gainsight
Entity Type: Customer Support Platform Provider
Industry: SaaS/Tech
Customers Affected: ~1000 companies (including Fortune 500)
Incident : Unauthorized Access GAI1832518112125
Entity Name: Salesforce
Entity Type: CRM Platform
Industry: SaaS/Tech
Incident : Unauthorized Access GAI1832518112125
Entity Name: Verizon
Entity Type: Telecommunications
Industry: Telecom
Incident : Unauthorized Access GAI1832518112125
Entity Name: GitLab
Entity Type: DevOps Platform
Industry: Tech
Incident : Unauthorized Access GAI1832518112125
Entity Name: F5
Entity Type: Network Security
Industry: Tech
Incident : Unauthorized Access GAI1832518112125
Entity Name: SonicWall
Entity Type: Cybersecurity
Industry: Tech
Incident : Data Breach GAI0292402112125
Entity Name: Gainsight
Entity Type: Customer Success Platform Provider
Industry: SaaS/Enterprise Software
Customers Affected: Hundreds (Potential)
Incident : Data Breach GAI0292402112125
Entity Name: Salesforce Customers (via Gainsight Apps)
Entity Type: B2B Enterprises, SaaS Users
Industry: Multiple (Salesforce Ecosystem)
Location: Global
Incident : Data Breach GAI0292402112125
Entity Name: Salesloft (Upstream Breach)
Entity Type: Sales Engagement Platform
Industry: SaaS
Customers Affected: 760 Salesforce Instances (1.5B Records Exfiltrated)
Incident : Data Breach GAI1122911112425
Entity Name: Salesforce
Entity Type: CRM Platform
Industry: Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 200+ instances
Incident : Data Breach GAI1122911112425
Entity Name: Gainsight
Entity Type: Customer Success Platform
Industry: SaaS/Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: SaaS/Technology
Location: Global (HQ: Atlanta, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Drift
Entity Type: Conversational Marketing Platform
Industry: SaaS/Technology
Location: Global (HQ: Boston, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: HubSpot
Entity Type: CRM & Marketing Platform
Industry: SaaS/Technology
Location: Global (HQ: Cambridge, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Zendesk
Entity Type: Customer Service Platform
Industry: SaaS/Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Unauthorized Access GAI0892408112625
Entity Name: Salesforce
Entity Type: Cloud CRM Provider
Industry: Technology
Location: San Francisco, California, USA
Size: Enterprise
Customers Affected: Handful (exact number undisclosed, initially 3, later expanded)
Incident : Unauthorized Access GAI0892408112625
Entity Name: Gainsight
Entity Type: Customer Success Platform
Industry: Technology
Location: San Francisco, California, USA
Size: Enterprise
Customers Affected: Handful (exact number undisclosed)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Entity Name: Gainsight
Entity Type: Customer Management Software Firm
Industry: Technology / SaaS
Customers Affected: Limited number of clients (potential impact on over 200 Salesforce instances)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Entity Name: Gainsight Clients (Salesforce Users)
Entity Type: Businesses
Industry: Multiple (Salesforce customers)
Incident : Data Breach GAI0502205112725
Entity Name: Gainsight
Entity Type: SaaS Company
Industry: Customer Success Platform
Customers Affected: Disputed: 'a handful' (Gainsight) vs. '200+' (Google Threat Intelligence Group)
Incident : Data Breach GAI0502205112725
Entity Name: Salesforce Customers (via Gainsight Connected App)
Entity Type: CRM Users
Customers Affected: 200+ (potentially)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Unauthorized Access GAI1832518112125
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google Cloud).
Containment Measures: Revoked access to Gainsight applications on Salesforce AppExchangeDisabled Gainsight connections with HubSpot and Zendesk
Remediation Measures: Forensic investigation by Mandiant
Communication Strategy: Public security advisory by Salesforce (2023-11-20)Gainsight updates (acknowledged exposure)
Incident : Data Breach GAI0292402112125
Incident Response Plan Activated: True
Containment Measures: Token Revocation (OAuth/Refresh Tokens)AppExchange Removal
Remediation Measures: Customer NotificationsInvestigation
Communication Strategy: Direct Customer NotificationsPublic Statement
Incident : Data Breach GAI1122911112425
Incident Response Plan Activated: True
Third Party Assistance: Google Mandiant (Threat Intelligence).
Containment Measures: Revoked OAuth TokensRemoved Gainsight Apps from AppExchangeLimited HubSpot/Zendesk Connector Functionality
Remediation Measures: Internal Reviews by Affected CompaniesToken Rotation
Communication Strategy: Public Disclosure via Media (Redazione RHC)No Direct Comment from Salesforce on Specifics
Enhanced Monitoring: Google Threat Intelligence Group Analysis
Incident : Unauthorized Access GAI0892408112625
Incident Response Plan Activated: True
Third Party Assistance: Mandiant, Palo Alto Networks (Unit 42).
Containment Measures: Revoked Gainsight OAuth TokensDisabled Gainsight-Salesforce ConnectionPublished IoCs for Customer Review
Remediation Measures: Rotated S3 Bucket Access KeysPassword Resets for Non-SSO UsersReauthorization of Connected Apps
Recovery Measures: Environment Hardening by GainsightRestoration of Salesforce Connected App (Pending)
Communication Strategy: Public Advisories from Salesforce & GainsightCustomer Guidance for Log ReviewOngoing Updates on Investigation
Enhanced Monitoring: Recommended (Review Salesforce Logs for Unexpected Activity)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Incident Response Plan Activated: True
Third Party Assistance: Google Threat Intelligence Group (Reported Potential Impact).
Containment Measures: IP restrictions for API calls
Remediation Measures: Review of Salesforce logs for authentication attempts and API calls from Gainsight Connected App
Communication Strategy: Advisories issued to clients to investigate logs and implement mitigations
Incident : Data Breach GAI0502205112725
Incident Response Plan Activated: True
Third Party Assistance: Google Mandiant (Forensic Investigation).
Containment Measures: Revoked All Access/Refresh Tokens (Salesforce)Disabled Salesforce IntegrationRevoked HubSpot/Zendesk ConnectorsInvestigating GSuite SSO Login Issues
Remediation Measures: Forensic Analysis OngoingCustomer Support Teams EstablishedTown Halls Hosted for Affected Customers
Communication Strategy: Blog Post by CEO Chuck GanapathiCommunity Page Updates (Planned)Direct Outreach to Affected Customers
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Mandiant (Google Cloud), , Google Mandiant (Threat Intelligence), , Mandiant, Palo Alto Networks (Unit 42), , Google Threat Intelligence Group (reported potential impact), , Google Mandiant (Forensic Investigation), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Unauthorized Access GAI1832518112125
Type of Data Compromised: Business contact information, Salesforce case text
Sensitivity of Data: Moderate (primarily business, not highly sensitive PII)
Data Exfiltration: Claimed by threat actors (not confirmed)
Personally Identifiable Information: Limited (business contact info)
Incident : Data Breach GAI0292402112125
Type of Data Compromised: Business contact details (names, emails, phone numbers), Licensing information, Support case contents, Regional/location details, Passwords (salesloft breach), Aws keys (salesloft breach), Snowflake tokens (salesloft breach)
Number of Records Exposed: 1.5 Billion (Salesloft Breach), Undisclosed (Gainsight Breach)
Sensitivity of Data: Moderate to High (Business PII, Credentials, API Keys)
Personally Identifiable Information: Business PII (Names, Emails, Phone Numbers)
Incident : Data Breach GAI1122911112425
Type of Data Compromised: Enterprise customer data, Crm records, Integration logs
Sensitivity of Data: High (Potential PII, Business-Critical CRM Data)
Personally Identifiable Information: Likely (Enterprise Customer Data)
Incident : Unauthorized Access GAI0892408112625
Data Exfiltration: Alleged (Claimed by Shiny Hunters, Unverified)
Personally Identifiable Information: Potential (Unconfirmed)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Type of Data Compromised: Salesforce customer tokens
Sensitivity of Data: High (authentication tokens)
Incident : Data Breach GAI0502205112725
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Forensic investigation by Mandiant, , Customer Notifications, Investigation, , Internal Reviews by Affected Companies, Token Rotation, , Rotated S3 Bucket Access Keys, Password Resets for Non-SSO Users, Reauthorization of Connected Apps, , Review of Salesforce logs for authentication attempts and API calls from Gainsight Connected App, , Forensic Analysis Ongoing, Customer Support Teams Established, Town Halls Hosted for Affected Customers, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by revoked access to gainsight applications on salesforce appexchange, disabled gainsight connections with hubspot and zendesk, , token revocation (oauth/refresh tokens), appexchange removal, , revoked oauth tokens, removed gainsight apps from appexchange, limited hubspot/zendesk connector functionality, , revoked gainsight oauth tokens, disabled gainsight-salesforce connection, published iocs for customer review, , ip restrictions for api calls, , revoked all access/refresh tokens (salesforce), disabled salesforce integration, revoked hubspot/zendesk connectors, investigating gsuite sso login issues and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Unauthorized Access GAI1832518112125
Data Exfiltration: Threatened (planned dedicated leak site)
Incident : Data Breach GAI0292402112125
Data Exfiltration: True
Incident : Data Breach GAI1122911112425
Data Exfiltration: True
Incident : Unauthorized Access GAI0892408112625
Data Exfiltration: Alleged (Claimed by Shiny Hunters)
Incident : Data Breach GAI0502205112725
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Environment Hardening by Gainsight, Restoration of Salesforce Connected App (Pending), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Unauthorized Access GAI1832518112125
Lessons Learned: The incident highlights risks in SaaS ecosystems from over-permissioned third-party apps and OAuth token misuse. Organizations should audit app permissions, monitor for anomalous activity, and enforce least-privilege access principles.
Incident : Data Breach GAI1122911112425
Lessons Learned: OAuth token security requires stricter rotation and monitoring., Third-party integrations introduce significant supply chain risks., Delayed detection (1–2 weeks) highlights gaps in anomaly monitoring., Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
What recommendations were made to prevent future incidents ?
Incident : Unauthorized Access GAI1832518112125
Recommendations: Conduct third-party risk assessments for integrated SaaS vendors., Implement continuous monitoring for OAuth token usage and app connections., Enforce least-privilege access for third-party applications., Review and revoke unnecessary permissions for SaaS integrations., Prepare incident response plans for supply chain attacks.Conduct third-party risk assessments for integrated SaaS vendors., Implement continuous monitoring for OAuth token usage and app connections., Enforce least-privilege access for third-party applications., Review and revoke unnecessary permissions for SaaS integrations., Prepare incident response plans for supply chain attacks.Conduct third-party risk assessments for integrated SaaS vendors., Implement continuous monitoring for OAuth token usage and app connections., Enforce least-privilege access for third-party applications., Review and revoke unnecessary permissions for SaaS integrations., Prepare incident response plans for supply chain attacks.Conduct third-party risk assessments for integrated SaaS vendors., Implement continuous monitoring for OAuth token usage and app connections., Enforce least-privilege access for third-party applications., Review and revoke unnecessary permissions for SaaS integrations., Prepare incident response plans for supply chain attacks.Conduct third-party risk assessments for integrated SaaS vendors., Implement continuous monitoring for OAuth token usage and app connections., Enforce least-privilege access for third-party applications., Review and revoke unnecessary permissions for SaaS integrations., Prepare incident response plans for supply chain attacks.
Incident : Data Breach GAI1122911112425
Recommendations: Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.
Incident : Unauthorized Access GAI0892408112625
Recommendations: Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Re-authorize connected apps/integrations relying on user credentials., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Implement stricter OAuth token management and user agent validation.
Incident : Data Breach / Unauthorized Access GAI54103454112625
Recommendations: Review Salesforce logs for authentication attempts and API calls from Gainsight Connected App, Implement IP restrictions for API calls, Monitor for anomalous access patternsReview Salesforce logs for authentication attempts and API calls from Gainsight Connected App, Implement IP restrictions for API calls, Monitor for anomalous access patternsReview Salesforce logs for authentication attempts and API calls from Gainsight Connected App, Implement IP restrictions for API calls, Monitor for anomalous access patterns
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The incident highlights risks in SaaS ecosystems from over-permissioned third-party apps and OAuth token misuse. Organizations should audit app permissions, monitor for anomalous activity, and enforce least-privilege access principles.OAuth token security requires stricter rotation and monitoring.,Third-party integrations introduce significant supply chain risks.,Delayed detection (1–2 weeks) highlights gaps in anomaly monitoring.,Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Rotate S3 bucket access keys used for Gainsight connections., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Reset passwords for non-SSO users in Gainsight NXT., Implement stricter OAuth token management and user agent validation., Review Salesforce logs for unexpected activity related to Gainsight connections. and Re-authorize connected apps/integrations relying on user credentials..
References
Where can I find more information about each incident ?
Incident : Unauthorized Access GAI1832518112125
Source: Salesforce Security Advisory
Date Accessed: 2023-11-20
Incident : Unauthorized Access GAI1832518112125
Source: DataBreaches.net (Dissent)
Incident : Unauthorized Access GAI1832518112125
Source: Black Kite (Ferhat Dikbiyik)
Incident : Unauthorized Access GAI1832518112125
Source: Infosecurity Magazine
Incident : Data Breach GAI0292402112125
Source: TechRadar
Incident : Data Breach GAI0292402112125
Source: BleepingComputer
Incident : Data Breach GAI0292402112125
Source: Salesforce Public Announcement
Incident : Unauthorized Access GAI0892408112625
Source: Gainsight Customer Advisory
Date Accessed: 2025-11-21
Incident : Unauthorized Access GAI0892408112625
Source: Palo Alto Networks (Unit 42) Analysis
Date Accessed: 2025-11-24
Incident : Unauthorized Access GAI0892408112625
Source: Shiny Hunters Telegram Post
Date Accessed: 2025-11-24
Incident : Data Breach / Unauthorized Access GAI54103454112625
Source: CyberScoop
Incident : Data Breach GAI0502205112725
Source: The Register
Incident : Data Breach GAI0502205112725
Source: Gainsight Blog Post (CEO Chuck Ganapathi)
Incident : Data Breach GAI0502205112725
Source: Salesforce Security Advisory
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Salesforce Security AdvisoryDate Accessed: 2023-11-20, and Source: DataBreaches.net (Dissent), and Source: Black Kite (Ferhat Dikbiyik), and Source: Infosecurity Magazine, and Source: TechRadar, and Source: BleepingComputer, and Source: Salesforce Public Announcement, and Source: Redazione RHCDate Accessed: 2025-11-24, and Source: Salesforce AdvisoryDate Accessed: 2025-11-21, and Source: Gainsight Customer AdvisoryDate Accessed: 2025-11-21, and Source: Palo Alto Networks (Unit 42) AnalysisDate Accessed: 2025-11-24, and Source: Shiny Hunters Telegram PostDate Accessed: 2025-11-24, and Source: CyberScoop, and Source: The Register, and Source: Gainsight Blog Post (CEO Chuck Ganapathi), and Source: Salesforce Security Advisory.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Unauthorized Access GAI1832518112125
Investigation Status: Ongoing (Mandiant engaged for forensic analysis)
Incident : Data Breach GAI0292402112125
Investigation Status: Ongoing (Customer Notifications in Progress)
Incident : Data Breach GAI1122911112425
Investigation Status: Ongoing (Led by Google Mandiant)
Incident : Unauthorized Access GAI0892408112625
Investigation Status: Ongoing (Salesforce, Gainsight, Mandiant)
Incident : Data Breach / Unauthorized Access GAI54103454112625
Investigation Status: Ongoing (customers urged to review logs; extent of breach under investigation)
Incident : Data Breach GAI0502205112725
Investigation Status: Ongoing (Forensic Analysis by Mandiant)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Security Advisory By Salesforce (2023-11-20), Gainsight Updates (Acknowledged Exposure), Direct Customer Notifications, Public Statement, Public Disclosure Via Media (Redazione Rhc), No Direct Comment From Salesforce On Specifics, Public Advisories From Salesforce & Gainsight, Customer Guidance For Log Review, Ongoing Updates On Investigation, Advisories issued to clients to investigate logs and implement mitigations, Blog Post By Ceo Chuck Ganapathi, Community Page Updates (Planned) and Direct Outreach To Affected Customers.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Unauthorized Access GAI1832518112125
Stakeholder Advisories: Salesforce Security Advisory (2023-11-20), Gainsight Updates (Acknowledged Exposure).
Incident : Data Breach GAI0292402112125
Stakeholder Advisories: Direct Notifications To Affected Customers.
Customer Advisories: Revoked TokensApp Removal from AppExchange
Incident : Data Breach GAI1122911112425
Stakeholder Advisories: Salesforce Revoked Access Keys, Gainsight/Hubspot/Zendesk Limited Connector Functionality.
Customer Advisories: No Direct Communication Mentioned
Incident : Unauthorized Access GAI0892408112625
Stakeholder Advisories: Salesforce Ioc List, Gainsight Security Recommendations, Mandiant Investigation Support.
Customer Advisories: Temporarily disable Gainsight-Salesforce connection.Review API and authentication logs for suspicious activity.Follow password rotation and reauthorization guidelines.
Incident : Data Breach / Unauthorized Access GAI54103454112625
Stakeholder Advisories: Clients advised to investigate Salesforce logs and implement IP restrictions
Customer Advisories: Public communication by Gainsight CEO (Chuck Ganapathi) and Chief Customer Officer (Brent Krempges) urging log reviews and mitigation measures
Incident : Data Breach GAI0502205112725
Stakeholder Advisories: Salesforce Security Advisory (Indicators Of Compromise Shared), Hubspot/Zendesk Connector Revocations.
Customer Advisories: Direct Outreach to Affected CustomersCommunity Page Updates (Planned)Town Halls for Customer Success Management
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Salesforce Security Advisory (2023-11-20), Gainsight Updates (Acknowledged Exposure), Direct Notifications To Affected Customers, Revoked Tokens, App Removal From Appexchange, , Salesforce Revoked Access Keys, Gainsight/Hubspot/Zendesk Limited Connector Functionality, No Direct Communication Mentioned, , Salesforce Ioc List, Gainsight Security Recommendations, Mandiant Investigation Support, Temporarily Disable Gainsight-Salesforce Connection., Review Api And Authentication Logs For Suspicious Activity., Follow Password Rotation And Reauthorization Guidelines., , Clients advised to investigate Salesforce logs and implement IP restrictions, Public communication by Gainsight CEO (Chuck Ganapathi) and Chief Customer Officer (Brent Krempges) urging log reviews and mitigation measures, Salesforce Security Advisory (Indicators Of Compromise Shared), Hubspot/Zendesk Connector Revocations, Direct Outreach To Affected Customers, Community Page Updates (Planned), Town Halls For Customer Success Management and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Unauthorized Access GAI1832518112125
Entry Point: Compromised OAuth tokens via Gainsight SFDC Connector
High Value Targets: Fortune 500 Companies (E.G., Verizon, Gitlab, F5, Sonicwall),
Data Sold on Dark Web: Fortune 500 Companies (E.G., Verizon, Gitlab, F5, Sonicwall),
Incident : Data Breach GAI0292402112125
Entry Point: Stolen OAuth Tokens (Salesloft Drift Integration)
High Value Targets: Salesforce Customer Data, Gainsight Licensing Data,
Data Sold on Dark Web: Salesforce Customer Data, Gainsight Licensing Data,
Incident : Data Breach GAI1122911112425
Entry Point: Compromised Salesloft Github Account, Stolen Oauth Tokens For Drift Integration,
Reconnaissance Period: Several Months (Undetected for 1–2 Weeks Post-Intrusion)
High Value Targets: Salesforce Crm Data, Gainsight Customer Process Management Platform,
Data Sold on Dark Web: Salesforce Crm Data, Gainsight Customer Process Management Platform,
Incident : Unauthorized Access GAI0892408112625
Entry Point: Compromised Gainsight Connected App, Malicious User Agent ('Salesforce-Multi-Org-Fetcher/1.0'),
Reconnaissance Period: ~3 months (claimed by Shiny Hunters)
High Value Targets: Salesforce Customer Data, Gainsight Nxt User Credentials,
Data Sold on Dark Web: Salesforce Customer Data, Gainsight Nxt User Credentials,
Incident : Data Breach / Unauthorized Access GAI54103454112625
High Value Targets: Salesforce Customer Tokens,
Data Sold on Dark Web: Salesforce Customer Tokens,
Incident : Data Breach GAI0502205112725
Entry Point: Gainsight Connected App on Salesforce
High Value Targets: Salesforce Customer Data, Crm Integrations (Hubspot, Zendesk),
Data Sold on Dark Web: Salesforce Customer Data, Crm Integrations (Hubspot, Zendesk),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Unauthorized Access GAI1832518112125
Root Causes: Over-Permissioned Gainsight Sfdc Connector App, Misuse Of Oauth Tokens (Similar To Prior Salesloft Drift Incident), Inadequate Monitoring Of Third-Party App Activity,
Incident : Data Breach GAI0292402112125
Root Causes: Weak Oauth Token Security (Salesloft), Supply Chain Vulnerability (Gainsight Apps Relying On Compromised Tokens), Insufficient Api Access Controls,
Incident : Data Breach GAI1122911112425
Root Causes: Inadequate Oauth Token Security In Third-Party Integrations (Drift, Gainsight)., Lack Of Real-Time Monitoring For Anomalous Access Patterns., Supply Chain Vulnerabilities Via Github Account Compromise.,
Corrective Actions: Token Revocation And Rotation Across Affected Systems., Removal Of Vulnerable Apps From Appexchange., Engagement Of Threat Intelligence (Mandiant) For Attribution.,
Incident : Unauthorized Access GAI0892408112625
Root Causes: Insufficient Validation Of User Agent Strings In Gainsight Connected App., Lack Of Ip Restrictions For Api Calls From Gainsight., Potential Oauth Token Mismanagement.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Mandiant (Google Cloud), , Google Mandiant (Threat Intelligence), , Google Threat Intelligence Group Analysis, , Mandiant, Palo Alto Networks (Unit 42), , Recommended (Review Salesforce Logs for Unexpected Activity), Google Threat Intelligence Group (Reported Potential Impact), , Google Mandiant (Forensic Investigation), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Token Revocation And Rotation Across Affected Systems., Removal Of Vulnerable Apps From Appexchange., Engagement Of Threat Intelligence (Mandiant) For Attribution., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Scattered SpiderShinyHuntersLapsus$ (collectively referred to as 'Scattered Lapsus$ Hunters'), ShinyHuntersScattered Lapsus$ Hunters, ShinyHuntersUNC6240, Shiny Hunters and ShinyHunters.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-11-20.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-21.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were CRM-layer data (business contact info), Salesforce case text, , , , , and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Salesforce (via Gainsight SFDC Connector)HubSpot (preventively disabled)Zendesk (preventively disabled) and Salesforce Instances (760 in Salesloft breach)Gainsight-published Applications and Salesforce Instances (200+)GainsightSalesloftDriftHubSpotZendesk and Gainsight-Published ApplicationsSalesforce Connected AppS3 Buckets and Salesforce instances (potentially over 200)Gainsight Connected App and Salesforce Connected AppGSuite SSO (subset of customers)HubSpot IntegrationZendesk Integration.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was mandiant (google cloud), , google mandiant (threat intelligence), , mandiant, palo alto networks (unit 42), , google threat intelligence group (reported potential impact), , google mandiant (forensic investigation), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Revoked access to Gainsight applications on Salesforce AppExchangeDisabled Gainsight connections with HubSpot and Zendesk, Token Revocation (OAuth/Refresh Tokens)AppExchange Removal, Revoked OAuth TokensRemoved Gainsight Apps from AppExchangeLimited HubSpot/Zendesk Connector Functionality, Revoked Gainsight OAuth TokensDisabled Gainsight-Salesforce ConnectionPublished IoCs for Customer Review, IP restrictions for API calls and Revoked All Access/Refresh Tokens (Salesforce)Disabled Salesforce IntegrationRevoked HubSpot/Zendesk ConnectorsInvestigating GSuite SSO Login Issues.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were CRM-layer data (business contact info) and Salesforce case text.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.5B.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Review Salesforce logs for unexpected activity related to Gainsight connections., Rotate S3 bucket access keys used for Gainsight connections., Monitor for IoCs (IPs, User Agents) provided by Salesforce/Gainsight., Enforce least-privilege access for third-party applications., Implement continuous monitoring for OAuth token usage and app connections., Reset passwords for non-SSO users in Gainsight NXT., Review Salesforce logs for authentication attempts and API calls from Gainsight Connected App, Implement stricter OAuth token management and user agent validation., Re-authorize connected apps/integrations relying on user credentials., Implement IP restrictions for API calls, Enhance real-time monitoring for unauthorized access patterns., Monitor for anomalous access patterns, Prepare incident response plans for supply chain attacks., Conduct third-party risk assessments for integrated SaaS vendors., Establish clear incident response protocols for supply chain breaches., Log in to Gainsight NXT directly (avoid Salesforce SSO until restored)., Publicly disclose breaches transparently to maintain customer trust. and Review and revoke unnecessary permissions for SaaS integrations..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are The Register, Infosecurity Magazine, Salesforce Security Advisory, Palo Alto Networks (Unit 42) Analysis, Gainsight Blog Post (CEO Chuck Ganapathi), Salesforce Advisory, Black Kite (Ferhat Dikbiyik), DataBreaches.net (Dissent), TechRadar, BleepingComputer, Gainsight Customer Advisory, Shiny Hunters Telegram Post, Redazione RHC, Salesforce Public Announcement and CyberScoop.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Mandiant engaged for forensic analysis).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Salesforce security advisory (2023-11-20), Gainsight updates (acknowledged exposure), Direct Notifications to Affected Customers, Salesforce Revoked Access Keys, Gainsight/HubSpot/Zendesk Limited Connector Functionality, Salesforce IoC List, Gainsight Security Recommendations, Mandiant Investigation Support, Clients advised to investigate Salesforce logs and implement IP restrictions, Salesforce Security Advisory (Indicators of Compromise Shared), HubSpot/Zendesk Connector Revocations, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Revoked TokensApp Removal from AppExchange, No Direct Communication Mentioned, Temporarily disable Gainsight-Salesforce connection.Review API and authentication logs for suspicious activity.Follow password rotation and reauthorization guidelines., Public communication by Gainsight CEO (Chuck Ganapathi) and Chief Customer Officer (Brent Krempges) urging log reviews and mitigation measures and Direct Outreach to Affected CustomersCommunity Page Updates (Planned)Town Halls for Customer Success Management.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Gainsight Connected App on Salesforce, Compromised OAuth tokens via Gainsight SFDC Connector and Stolen OAuth Tokens (Salesloft Drift Integration).
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Several Months (Undetected for 1–2 Weeks Post-Intrusion), ~3 months (claimed by Shiny Hunters).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Over-permissioned Gainsight SFDC Connector appMisuse of OAuth tokens (similar to prior Salesloft Drift incident)Inadequate monitoring of third-party app activity, Weak OAuth Token Security (Salesloft)Supply Chain Vulnerability (Gainsight Apps Relying on Compromised Tokens)Insufficient API Access Controls, Inadequate OAuth Token Security in Third-Party Integrations (Drift, Gainsight).Lack of Real-Time Monitoring for Anomalous Access Patterns.Supply Chain Vulnerabilities via GitHub Account Compromise., Insufficient validation of user agent strings in Gainsight Connected App.Lack of IP restrictions for API calls from Gainsight.Potential OAuth token mismanagement..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Token Revocation and Rotation Across Affected Systems.Removal of Vulnerable Apps from AppExchange.Engagement of Threat Intelligence (Mandiant) for Attribution..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=gainsight' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
