Gainsight
Company Details
Linkedin ID:
gainsight
Website:
Employees number:
1,099
Number of followers:
158,852
NAICS:
5112
Industry Type:
Homepage:
gainsight.com
IP Addresses:
0
Company ID:
GAI_2637636
Scan Status:
In-progress
Gainsight Company CyberSecurity Posture
gainsight.com
At Gainsight, our mission is to be living proof you can win in business while being human first. Gainsight, the world’s leading Customer Success platform, helps businesses drive efficient growth by unifying the post-sales customer journey. Our innovative suite of solutions—including customer success, customer education, product experience, community management, and conversational AI insights—are trusted by companies of all sizes and industries, including nearly 200 publicly traded organizations. With Gainsight, businesses can leverage AI-driven insights from real-time customer interactions to enhance engagement, improve retention, and drive expansion. Our platform makes it easier for customer success, product, and community teams to scale efficiently and gain a holistic view of their customers, driving product adoption and building thriving customer communities. Gainsight joined the Vista Equity Partners portfolio in 2020. In 2021, we won their Excellence in Engineering award in recognition for our product and engineering advancements. A remote-friendly company, we have offices in the US, UK, Netherlands, Israel, and India. Gainsight received the top spot in Glassdoor's Best Places to Work for 2023. It has also been named as one of the top 100 private cloud companies in the world by Forbes, one of the fastest-growing private companies in America by Inc. Magazine, and one of 20 Great Workplaces in Tech by Fortune Magazine.
Gainsight A.I CyberSecurity Scoring
Gainsight Risk Score (AI oriented)Between 0 and 549
Gainsight
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Gainsight Global Score (TPRM)XXXX
Gainsight
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Gainsight Company CyberSecurity News & History
Past Incidents
4
Attack Types
1
Salesforce
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The Salesforce data breach involved the ShinyHunters (UNC6240) hacking group, which exploited stolen OAuth tokens from Salesloft’s GitHub account to infiltrate Drift’s Salesforce integration and subsequently compromise Gainsight, a customer process management platform. The attackers gained unauthorized access to over 200 Salesforce instances, exfiltrating enterprise customer data through third-party service integrations (including HubSpot and Zendesk). While Salesforce revoked access keys and removed affected apps from the AppExchange, the breach exposed sensitive customer data, though the full scope of the leak remains undisclosed. The attack leveraged supply-chain vulnerabilities rather than a direct Salesforce platform flaw. ShinyHunters claimed delayed detection (1–2 weeks post-intrusion) and sought internal accomplices for further exploitation. Salesforce refused ransom demands, but the incident highlights risks in third-party integrations and credential-based attacks.
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The incident at Gainsight stemmed from a downstream effect of the August 2025 Salesloft breach, where the Scattered Lapsus$ Hunters group stole OAuth tokens tied to Salesloft’s Drift AI chat integration with Salesforce. These tokens granted unauthorized API access to 760 Salesforce instances, leading to the exfiltration of 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.A subgroup, ShinyHunters, exploited the stolen credentials to breach Gainsight’s systems, extracting customer contact data (names, business emails, phone numbers, regional details), licensing information, and support case contents. Salesforce responded by revoking all active Gainsight-associated tokens and temporarily removing its apps from the AppExchange to mitigate further exposure. While Salesforce clarified that its platform itself was not vulnerable, the breach originated from Gainsight’s external app connections, compromising sensitive corporate and customer data across hundreds of organizations.
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer management software firm, experienced a security breach that compromised a limited number of its clients' data. The incident was confirmed by CEO Chuck Ganapathi and involved the exposure of Salesforce customer tokens, which are critical for authentication and access control within Salesforce ecosystems. While the breach did not result in a large-scale data leak, the compromise of these tokens poses risks such as unauthorized access to customer accounts, potential phishing attacks, or further exploitation of linked systems. The breach highlights vulnerabilities in third-party integrations, particularly those tied to major platforms like Salesforce. Although the impact was contained to a subset of clients, the exposure of authentication tokens could lead to reputational damage for Gainsight, erosion of customer trust, and potential financial repercussions if affected clients face downstream security incidents. The company has not disclosed whether the breach was due to a targeted cyber attack, a vulnerability exploitation, or an internal misconfiguration, but the involvement of Salesforce tokens suggests a sophisticated intrusion method.
Gainsight
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Gainsight, a customer success management software firm, experienced a security breach that compromised a limited number of its clients' data. The incident was linked to the exposure of Salesforce customer tokens, which are critical for authentication and access within the Salesforce ecosystem. CEO Chuck Ganapathi confirmed that while the breach impacted Gainsight’s systems, only a subset of clients had their data compromised. The nature of the breach suggests unauthorized access to sensitive customer-related credentials, potentially enabling further exploitation if misused. Although the exact scope of the stolen data remains undisclosed, the involvement of Salesforce tokens indicates a risk of downstream attacks, such as unauthorized access to client accounts or systems integrated with Gainsight. The breach underscores vulnerabilities in third-party SaaS platforms and the cascading risks posed by credential-based attacks in enterprise software supply chains.
Gainsight Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Gainsight
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Gainsight in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Gainsight in 2026.
Incident Types Gainsight vs Software Development Industry Avg (This Year)
No incidents recorded for Gainsight in 2026.
Incident History — Gainsight (X = Date, Y = Severity)
Gainsight cyber incidents detection timeline including parent company and subsidiaries
Gainsight Company Subsidiaries
At Gainsight, our mission is to be living proof you can win in business while being human first. Gainsight, the world’s leading Customer Success platform, helps businesses drive efficient growth by unifying the post-sales customer journey. Our innovative suite of solutions—including customer success, customer education, product experience, community management, and conversational AI insights—are trusted by companies of all sizes and industries, including nearly 200 publicly traded organizations. With Gainsight, businesses can leverage AI-driven insights from real-time customer interactions to enhance engagement, improve retention, and drive expansion. Our platform makes it easier for customer success, product, and community teams to scale efficiently and gain a holistic view of their customers, driving product adoption and building thriving customer communities. Gainsight joined the Vista Equity Partners portfolio in 2020. In 2021, we won their Excellence in Engineering award in recognition for our product and engineering advancements. A remote-friendly company, we have offices in the US, UK, Netherlands, Israel, and India. Gainsight received the top spot in Glassdoor's Best Places to Work for 2023. It has also been named as one of the top 100 private cloud companies in the world by Forbes, one of the fastest-growing private companies in America by Inc. Magazine, and one of 20 Great Workplaces in Tech by Fortune Magazine.
Loading...
Gainsight Similar Companies
Baidu is a leading AI company with strong Internet foundation, driven by our mission to “make the complicated world simpler through technology”. Founded in 2000 as a search engine platform, we were an early adopter of artificial intelligence in 2010. Since then, we have established a full AI stack,
Trimble Inc.
Trimble is a global technology company that connects the physical and digital worlds, transforming the ways work gets done. With relentless innovation in precise positioning, modeling and data analytics, Trimble enables essential industries including construction, geospatial and transportation. Whet
Upwork is the world’s work marketplace that connects businesses with independent talent from across the globe. We serve everyone from one-person startups to large, Fortune 100 enterprises with a powerful, trust-driven platform that enables companies and talent to work together in new ways that unloc
DoorDash
At DoorDash, our mission to empower local economies shapes how our team members move quickly and always learn and reiterate to support merchants, Dashers and the communities we serve. We are a technology and logistics company that started with door-to-door delivery, and we are looking for team membe
Pitney Bowes is a technology-driven company that provides digital shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on Pitney Bowes to red
KPIT
About KPIT KPIT is reimagining the future of mobility, forging ahead with group companies and partners to shape a world that is cleaner, smarter, and safer. With over 25 years of specialized expertise in Mobility, KPIT is accelerating the transformation towards Software and AI-Defined Vehicles thr
[24]7.ai
[24]7.ai™ customer engagement solutions use conversational artificial intelligence to understand customer intent, enabling companies to create personalized, predictive, and effortless customer experiences across all channels; attract and retain customers; boost agent productivity and satisfaction; a
Thomson Reuters
Thomson Reuters (TSX/NDAQ: TRI) informs the way forward by bringing together the trusted content and technology that people and organizations need to make the right decisions. We serve professionals across legal, tax, accounting, compliance, government, and media. Our products combine highly special
NiCE
NiCE is transforming the world with AI that puts people first. Our purpose-built AI-powered platforms automate engagements into proactive, safe, intelligent actions, empowering individuals and organizations to innovate and act, from interaction to resolution. Trusted by organizations throughout 150
.png)
Gainsight CyberSecurity News
December 16, 2025 08:00 AM
Top 10 Cyber-Attacks of 2025
The past year has seen an unprecedented number of cyber-attacks targeting large enterprises and globally recognized brands.
December 03, 2025 08:00 AM
The Week in Breach News: December 03, 2025
Salesforce-Gainsight breach impacts over 200 firms, London councils targeted and a major vendor's cyber incident exposes U.S. banks.
December 01, 2025 08:00 AM
Third-Party Breach Hits Salesforce via Gainsight App Integrations, Impacting Over 200 Organizations
Salesforce has confirmed another third-party breach affecting Gainsight applications integrated with customer instances, enabling attackers...
November 30, 2025 08:00 AM
Week in review: Fake “Windows Update” fuels malware, Salesforce details Gainsight breach
Here's an overview of some of last week's most interesting news, articles, interviews and videos: Quantum encryption is pushing satellite...
November 28, 2025 08:00 AM
Gainsight Verifies Token Breach Linked to Salesforce Advisory, Issues New IOCs
Gainsight, the leading customer success platform, has confirmed that a security incident involving its Salesforce integration compromised...
November 28, 2025 08:00 AM
Salesforce (CRM) Stock Before the Bell: AI Bets, Informatica Deal and Cybersecurity Risks – What to Watch on November 28, 2025
Salesforce (CRM) Stock Before the Bell: AI Bets, Informatica Deal and Cybersecurity Risks – What to Watch on November 28, 2025 - TechStock².
November 27, 2025 08:00 AM
Gainsight Expands Impacted Customer List Following Salesforce Security Alert
Gainsight widens its breach fallout as ShinyHunters push an AI-tuned ShinySp1d3r ransomware alliance.
November 26, 2025 08:00 AM
Gainsight CEO promises transparency as it responds to compromise of Salesforce integration
Gainsight CEO Chuck Ganapathi assured customers in a blog post published Tuesday that it was actively working with Salesforce and third-party...
November 26, 2025 08:00 AM
Gainsight CEO downplays breach, says only a 'handful' of customers had data stolen
Gainsight CEO Chuck Ganapathi downplayed the victim count related to his company's recent breach, saying he's only aware of "a handful of...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Gainsight CyberSecurity History Information
Official Website of Gainsight
The official website of Gainsight is https://www.gainsight.com.
Gainsight’s AI-Generated Cybersecurity Score
According to Rankiteo, Gainsight’s AI-generated cybersecurity score is 455, reflecting their Critical security posture.
How many security badges does Gainsight’ have ?
According to Rankiteo, Gainsight currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Gainsight been affected by any supply chain cyber incidents ?
According to Rankiteo, Gainsight has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does Gainsight have SOC 2 Type 1 certification ?
According to Rankiteo, Gainsight is not certified under SOC 2 Type 1.
Does Gainsight have SOC 2 Type 2 certification ?
According to Rankiteo, Gainsight does not hold a SOC 2 Type 2 certification.
Does Gainsight comply with GDPR ?
According to Rankiteo, Gainsight is not listed as GDPR compliant.
Does Gainsight have PCI DSS certification ?
According to Rankiteo, Gainsight does not currently maintain PCI DSS compliance.
Does Gainsight comply with HIPAA ?
According to Rankiteo, Gainsight is not compliant with HIPAA regulations.
Does Gainsight have ISO 27001 certification ?
According to Rankiteo,Gainsight is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Gainsight
Gainsight operates primarily in the Software Development industry.
Number of Employees at Gainsight
Gainsight employs approximately 1,099 people worldwide.
Subsidiaries Owned by Gainsight
Gainsight presently has no subsidiaries across any sectors.
Gainsight’s LinkedIn Followers
Gainsight’s official LinkedIn profile has approximately 158,852 followers.
NAICS Classification of Gainsight
Gainsight is classified under the NAICS code 5112, which corresponds to Software Publishers.
Gainsight’s Presence on Crunchbase
No, Gainsight does not have a profile on Crunchbase.
Gainsight’s Presence on LinkedIn
Yes, Gainsight maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/gainsight.
Cybersecurity Incidents Involving Gainsight
As of January 24, 2026, Rankiteo reports that Gainsight has experienced 4 cybersecurity incidents.
Number of Peer and Competitor Companies
Gainsight has an estimated 28,180 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Gainsight ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Gainsight detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with token revocation (oauth/refresh tokens), containment measures with appexchange removal, and remediation measures with customer notifications, remediation measures with investigation, and communication strategy with direct customer notifications, communication strategy with public statement, and and third party assistance with google mandiant (threat intelligence), and containment measures with revoked oauth tokens, containment measures with removed gainsight apps from appexchange, containment measures with limited hubspot/zendesk connector functionality, and remediation measures with internal reviews by affected companies, remediation measures with token rotation, and communication strategy with public disclosure via media (redazione rhc), communication strategy with no direct comment from salesforce on specifics, and enhanced monitoring with google threat intelligence group analysis, and public disclosure by with ceo chuck ganapathi, and public disclosure by with ceo chuck ganapathi..
Incident Details
Can you provide details on each incident ?
Title: Gainsight Unauthorized Salesforce Data Access via Stolen OAuth Tokens
Description: Gainsight applications enabled unauthorized access to Salesforce customer data due to stolen OAuth tokens linked to the August 2025 Salesloft breach. The threat actor group ShinyHunters exploited these tokens to exfiltrate Gainsight customer contact and licensing data. Salesforce revoked all active and refresh tokens associated with Gainsight-published apps and temporarily removed them from the AppExchange. The incident is a downstream effect of the Salesloft Drift breach, where 1.5 billion records (including passwords, AWS keys, and Snowflake tokens) were exfiltrated from 760 Salesforce instances by the Scattered Lapsus$ Hunters group.
Type: Data Breach
Attack Vector: Stolen OAuth TokensAPI AbuseSupply Chain Attack
Vulnerability Exploited: Weak or Stolen OAuth Token Management (External App Connection to Salesforce)
Threat Actor: ShinyHuntersScattered Lapsus$ Hunters
Motivation: Data TheftFinancial Gain (Potential Dark Web Sale)Reputation Damage
Title: Salesforce Data Breach: ShinyHunters Hack via Gainsight Integration
Description: The ShinyHunters group announced its involvement in a data breach affecting the Salesforce ecosystem, particularly through the compromise of Gainsight and Salesloft integrations. Attackers leveraged stolen OAuth tokens from Salesloft’s GitHub account to access enterprise customer data across multiple CRM-related services, including Gainsight, HubSpot, and Zendesk. Over 200 Salesforce instances were reportedly affected. Salesforce revoked access keys and removed Gainsight apps from the AppExchange as a response. The breach is linked to the UNC6240 (ShinyHunters) threat group, which claims to have evaded detection for weeks and is seeking internal accomplices.
Date Detected: 2025-11-24
Date Publicly Disclosed: 2025-11-24
Type: Data Breach
Attack Vector: Stolen OAuth TokensThird-Party Integration Exploitation (Drift, Gainsight)GitHub Account Compromise
Vulnerability Exploited: Weak OAuth Token SecurityThird-Party Application Misconfiguration
Threat Actor: ShinyHuntersUNC6240
Motivation: Data TheftExtortionFinancial GainEspionage
Title: Gainsight Data Breach Impacting Salesforce Customer Tokens
Description: A limited number of Gainsight clients had their data compromised following a breach of the customer management software firm's systems, which impacted Salesforce customer tokens.
Date Publicly Disclosed: 2025-11-26
Type: Data Breach
Title: Gainsight Data Breach Impacting Salesforce Customer Tokens
Description: A limited number of Gainsight clients had their data compromised following a breach of the customer management software firm's systems, which impacted Salesforce customer tokens.
Date Publicly Disclosed: 2025-11-26
Type: Data Breach
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Stolen OAuth Tokens (Salesloft Drift Integration) and Compromised Salesloft GitHub AccountStolen OAuth Tokens for Drift Integration.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach GAI0292402112125
Systems Affected: Salesforce Instances (760 in Salesloft breach)Gainsight-published Applications
Operational Impact: Token RevocationAppExchange RemovalCustomer Notifications
Brand Reputation Impact: Loss of TrustNegative Publicity
Identity Theft Risk: ['Business Contact Details Exposed']
Incident : Data Breach GAI1122911112425
Systems Affected: Salesforce Instances (200+)GainsightSalesloftDriftHubSpotZendesk
Downtime: ['Temporary Disruption of Gainsight Apps on Salesforce AppExchange', 'Limited Functionality of HubSpot/Zendesk Connectors']
Operational Impact: Revocation of Access KeysRemoval of Gainsight Apps from AppExchangeInternal Reviews by Affected Companies
Brand Reputation Impact: Potential Erosion of Trust in Salesforce EcosystemNegative Publicity for Gainsight, HubSpot, Zendesk
Identity Theft Risk: ['High (Enterprise Customer Data Exposed)']
Incident : Data Breach GAI55104855112725
Systems Affected: Salesforce customer tokens
Incident : Data Breach GAI3653836120125
Systems Affected: Salesforce customer tokens
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Details (Names, Emails, Phone Numbers), Licensing Information, Support Case Contents, Regional/Location Details, Passwords (Salesloft Breach), Aws Keys (Salesloft Breach), Snowflake Tokens (Salesloft Breach), , Enterprise Customer Data, Crm Records, Integration Logs, , Salesforce Customer Tokens, , Salesforce Customer Tokens and .
Which entities were affected by each incident ?
Incident : Data Breach GAI0292402112125
Entity Name: Gainsight
Entity Type: Customer Success Platform Provider
Industry: SaaS/Enterprise Software
Customers Affected: Hundreds (Potential)
Incident : Data Breach GAI0292402112125
Entity Name: Salesforce Customers (via Gainsight Apps)
Entity Type: B2B Enterprises, SaaS Users
Industry: Multiple (Salesforce Ecosystem)
Location: Global
Incident : Data Breach GAI0292402112125
Entity Name: Salesloft (Upstream Breach)
Entity Type: Sales Engagement Platform
Industry: SaaS
Customers Affected: 760 Salesforce Instances (1.5B Records Exfiltrated)
Incident : Data Breach GAI1122911112425
Entity Name: Salesforce
Entity Type: CRM Platform
Industry: Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Customers Affected: 200+ instances
Incident : Data Breach GAI1122911112425
Entity Name: Gainsight
Entity Type: Customer Success Platform
Industry: SaaS/Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Salesloft
Entity Type: Sales Engagement Platform
Industry: SaaS/Technology
Location: Global (HQ: Atlanta, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Drift
Entity Type: Conversational Marketing Platform
Industry: SaaS/Technology
Location: Global (HQ: Boston, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: HubSpot
Entity Type: CRM & Marketing Platform
Industry: SaaS/Technology
Location: Global (HQ: Cambridge, USA)
Size: Enterprise
Incident : Data Breach GAI1122911112425
Entity Name: Zendesk
Entity Type: Customer Service Platform
Industry: SaaS/Technology
Location: Global (HQ: San Francisco, USA)
Size: Enterprise
Incident : Data Breach GAI55104855112725
Entity Name: Gainsight
Entity Type: Customer Management Software Firm
Industry: Technology / SaaS
Customers Affected: Limited number of clients
Incident : Data Breach GAI55104855112725
Entity Name: Salesforce (indirectly impacted via tokens)
Entity Type: CRM Platform
Industry: Technology / Cloud Services
Incident : Data Breach GAI3653836120125
Entity Name: Gainsight
Entity Type: Customer Management Software Firm
Industry: Technology / SaaS
Customers Affected: Limited number of clients
Incident : Data Breach GAI3653836120125
Entity Name: Salesforce (indirectly impacted via tokens)
Entity Type: CRM Platform
Industry: Technology / Cloud Services
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach GAI0292402112125
Incident Response Plan Activated: True
Containment Measures: Token Revocation (OAuth/Refresh Tokens)AppExchange Removal
Remediation Measures: Customer NotificationsInvestigation
Communication Strategy: Direct Customer NotificationsPublic Statement
Incident : Data Breach GAI1122911112425
Incident Response Plan Activated: True
Third Party Assistance: Google Mandiant (Threat Intelligence).
Containment Measures: Revoked OAuth TokensRemoved Gainsight Apps from AppExchangeLimited HubSpot/Zendesk Connector Functionality
Remediation Measures: Internal Reviews by Affected CompaniesToken Rotation
Communication Strategy: Public Disclosure via Media (Redazione RHC)No Direct Comment from Salesforce on Specifics
Enhanced Monitoring: Google Threat Intelligence Group Analysis
Incident : Data Breach GAI55104855112725
Communication Strategy: Public Disclosure By: CEO Chuck Ganapathi.
Incident : Data Breach GAI3653836120125
Communication Strategy: Public Disclosure By: CEO Chuck Ganapathi.
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Google Mandiant (Threat Intelligence), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach GAI0292402112125
Type of Data Compromised: Business contact details (names, emails, phone numbers), Licensing information, Support case contents, Regional/location details, Passwords (salesloft breach), Aws keys (salesloft breach), Snowflake tokens (salesloft breach)
Number of Records Exposed: 1.5 Billion (Salesloft Breach), Undisclosed (Gainsight Breach)
Sensitivity of Data: Moderate to High (Business PII, Credentials, API Keys)
Personally Identifiable Information: Business PII (Names, Emails, Phone Numbers)
Incident : Data Breach GAI1122911112425
Type of Data Compromised: Enterprise customer data, Crm records, Integration logs
Sensitivity of Data: High (Potential PII, Business-Critical CRM Data)
Personally Identifiable Information: Likely (Enterprise Customer Data)
Incident : Data Breach GAI55104855112725
Type of Data Compromised: Salesforce customer tokens
Sensitivity of Data: High (authentication tokens)
Incident : Data Breach GAI3653836120125
Type of Data Compromised: Salesforce customer tokens
Sensitivity of Data: High (authentication tokens)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Customer Notifications, Investigation, , Internal Reviews by Affected Companies, Token Rotation, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by token revocation (oauth/refresh tokens), appexchange removal, , revoked oauth tokens, removed gainsight apps from appexchange, limited hubspot/zendesk connector functionality and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach GAI0292402112125
Data Exfiltration: True
Incident : Data Breach GAI1122911112425
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach GAI1122911112425
Lessons Learned: OAuth token security requires stricter rotation and monitoring., Third-party integrations introduce significant supply chain risks., Delayed detection (1–2 weeks) highlights gaps in anomaly monitoring., Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
What recommendations were made to prevent future incidents ?
Incident : Data Breach GAI1122911112425
Recommendations: Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.Implement multi-layered authentication for third-party OAuth tokens., Conduct regular audits of integration partners’ security postures., Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Publicly disclose breaches transparently to maintain customer trust.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are OAuth token security requires stricter rotation and monitoring.,Third-party integrations introduce significant supply chain risks.,Delayed detection (1–2 weeks) highlights gaps in anomaly monitoring.,Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
References
Where can I find more information about each incident ?
Incident : Data Breach GAI0292402112125
Source: TechRadar
Incident : Data Breach GAI0292402112125
Source: BleepingComputer
Incident : Data Breach GAI0292402112125
Source: Salesforce Public Announcement
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: TechRadar, and Source: BleepingComputer, and Source: Salesforce Public Announcement, and Source: Redazione RHCDate Accessed: 2025-11-24, and Source: CyberScoopDate Accessed: 2025-11-26, and Source: CyberScoopDate Accessed: 2025-11-26.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach GAI0292402112125
Investigation Status: Ongoing (Customer Notifications in Progress)
Incident : Data Breach GAI1122911112425
Investigation Status: Ongoing (Led by Google Mandiant)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Direct Customer Notifications, Public Statement, Public Disclosure Via Media (Redazione Rhc) and No Direct Comment From Salesforce On Specifics...
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach GAI0292402112125
Stakeholder Advisories: Direct Notifications To Affected Customers.
Customer Advisories: Revoked TokensApp Removal from AppExchange
Incident : Data Breach GAI1122911112425
Stakeholder Advisories: Salesforce Revoked Access Keys, Gainsight/Hubspot/Zendesk Limited Connector Functionality.
Customer Advisories: No Direct Communication Mentioned
Incident : Data Breach GAI55104855112725
Customer Advisories: Disclosed By: CEO Chuck Ganapathi, Scope: Limited number of clients affected.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Direct Notifications To Affected Customers, Revoked Tokens, App Removal From Appexchange, , Salesforce Revoked Access Keys, Gainsight/Hubspot/Zendesk Limited Connector Functionality, No Direct Communication Mentioned, , disclosed_by: CEO Chuck Ganapathi, scope: Limited number of clients affected and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach GAI0292402112125
Entry Point: Stolen OAuth Tokens (Salesloft Drift Integration)
High Value Targets: Salesforce Customer Data, Gainsight Licensing Data,
Data Sold on Dark Web: Salesforce Customer Data, Gainsight Licensing Data,
Incident : Data Breach GAI1122911112425
Entry Point: Compromised Salesloft Github Account, Stolen Oauth Tokens For Drift Integration,
Reconnaissance Period: Several Months (Undetected for 1–2 Weeks Post-Intrusion)
High Value Targets: Salesforce Crm Data, Gainsight Customer Process Management Platform,
Data Sold on Dark Web: Salesforce Crm Data, Gainsight Customer Process Management Platform,
Incident : Data Breach GAI55104855112725
High Value Targets: Salesforce Customer Tokens,
Data Sold on Dark Web: Salesforce Customer Tokens,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach GAI0292402112125
Root Causes: Weak Oauth Token Security (Salesloft), Supply Chain Vulnerability (Gainsight Apps Relying On Compromised Tokens), Insufficient Api Access Controls,
Incident : Data Breach GAI1122911112425
Root Causes: Inadequate Oauth Token Security In Third-Party Integrations (Drift, Gainsight)., Lack Of Real-Time Monitoring For Anomalous Access Patterns., Supply Chain Vulnerabilities Via Github Account Compromise.,
Corrective Actions: Token Revocation And Rotation Across Affected Systems., Removal Of Vulnerable Apps From Appexchange., Engagement Of Threat Intelligence (Mandiant) For Attribution.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Google Mandiant (Threat Intelligence), , Google Threat Intelligence Group Analysis, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Token Revocation And Rotation Across Affected Systems., Removal Of Vulnerable Apps From Appexchange., Engagement Of Threat Intelligence (Mandiant) For Attribution., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an ShinyHuntersScattered Lapsus$ Hunters and ShinyHuntersUNC6240.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-11-24.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-11-26.
Impact of the Incidents
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Salesforce Instances (760 in Salesloft breach)Gainsight-published Applications and Salesforce Instances (200+)GainsightSalesloftDriftHubSpotZendesk and Salesforce customer tokens and Salesforce customer tokens.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google mandiant (threat intelligence), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Token Revocation (OAuth/Refresh Tokens)AppExchange Removal and Revoked OAuth TokensRemoved Gainsight Apps from AppExchangeLimited HubSpot/Zendesk Connector Functionality.
Data Breach Information
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.5B.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Collaboration with threat intelligence firms (e.g., Mandiant) is critical for attribution.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enhance real-time monitoring for unauthorized access patterns., Establish clear incident response protocols for supply chain breaches., Conduct regular audits of integration partners’ security postures., Publicly disclose breaches transparently to maintain customer trust. and Implement multi-layered authentication for third-party OAuth tokens..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Salesforce Public Announcement, BleepingComputer, CyberScoop, TechRadar and Redazione RHC.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Customer Notifications in Progress).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Direct Notifications to Affected Customers, Salesforce Revoked Access Keys, Gainsight/HubSpot/Zendesk Limited Connector Functionality, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Revoked TokensApp Removal from AppExchange, No Direct Communication Mentioned, disclosed_by: CEO Chuck Ganapathi, scope: Limited number of clients affected and .
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Stolen OAuth Tokens (Salesloft Drift Integration).
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Several Months (Undetected for 1–2 Weeks Post-Intrusion).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Weak OAuth Token Security (Salesloft)Supply Chain Vulnerability (Gainsight Apps Relying on Compromised Tokens)Insufficient API Access Controls, Inadequate OAuth Token Security in Third-Party Integrations (Drift, Gainsight).Lack of Real-Time Monitoring for Anomalous Access Patterns.Supply Chain Vulnerabilities via GitHub Account Compromise..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Token Revocation and Rotation Across Affected Systems.Removal of Vulnerable Apps from AppExchange.Engagement of Threat Intelligence (Mandiant) for Attribution..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Risk Information
cvss3
Base: 9.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Description
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
Risk Information
cvss3
Base: 9.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Azure Entra ID Elevation of Privilege Vulnerability
Risk Information
cvss3
Base: 9.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Description
Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.
Risk Information
cvss4
Base: 2.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.
Risk Information
cvss3
Base: 8.0
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=gainsight' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
