Salesforce Reveals Gainsight Breach Details and Investigation Steps
▼ Summary
– Salesforce customers were affected by a compromise of Gainsight applications, with initial unauthorized access starting on November 8.
– Suspicious intrusions occurred between November 16 and 23 from IPs linked to VPN services, Tor, and AWS, using unexpected user agent strings.
– Salesforce revoked Gainsight’s OAuth tokens but preserved audit trails, and customers are urged to review logs for unexpected activity.
– Gainsight and Salesforce are investigating, with temporary disconnection of the apps and customer advice to rotate keys and reset passwords.
– The Shiny Hunters group claimed the attack, alleging access for nearly three months, but no leaked data has been confirmed yet.
Salesforce has disclosed new details regarding a security incident involving applications published by Gainsight, providing customers with critical indicators of compromise and urging immediate log reviews. While the exact number of affected organizations remains unconfirmed, the company has shared information suggesting that initial unauthorized access likely began on November 8. Further suspicious activity was detected between November 16 and 23, originating from IP addresses linked to commercial VPN services, the Tor network, and Amazon Web Services.
The list of indicators includes specific IP addresses and unusual User Agent strings. One such string, “Salesforce-Multi-Org-Fetcher/1.0,” was flagged as unexpected for a Gainsight-connected application and has previously been associated with malicious activity in the Salesloft Drift attack. Salesforce has cautioned that additional indicators may be identified and released as the investigation continues.
Importantly, the company clarified that revoking the Gainsight application’s OAuth tokens does not impact an organization’s ability to investigate. All historical audit trails, Event Monitoring logs, and API activity records remain fully accessible for forensic analysis. Gainsight has also published its own, more extensive list of suspect IP addresses and confirms that the most effective investigation method involves scrutinizing Salesforce logs for authentication attempts and API calls from the Gainsight Connected App.
In response to the breach, Salesforce has temporarily disabled the connection linking all Gainsight-published applications to its platform. The investigation is a collaborative effort involving analysts from Salesforce, Gainsight, and the cybersecurity firm Mandiant.
For customers, Gainsight has issued several recommended actions to bolster security. These include rotating the S3 bucket access keys used for connections with their platform. Users are advised to log into Gainsight NXT directly instead of through Salesforce until the connected app functionality is fully restored. The company also recommends resetting NXT user passwords for any accounts not using single sign-on (SSO) and re-authorizing any connected applications or integrations that depend on user credentials or tokens.
Regarding the scope, a Gainsight employee confirmed that the list of impacted customers has grown from an initial three to a larger group. The company’s CEO, Chuck Ganapathi, stated that they currently “know of only a handful of customers who had their data affected.”
The cyber extortion group known as Shiny Hunters has claimed responsibility for this attack, as well as the prior Salesloft Drift incident. They allege they had access to Gainsight systems for nearly three months. However, Matt Brady, a threat researcher with Palo Alto Networks’ Unit 42, noted that as of publication, no communications from the threat actors had been identified claiming the leak of information stolen from Gainsight. The group did post a message on their Telegram channel on November 24, 2025, boasting that their total victim count for the year was approximately 1,500 and still increasing.
(Source: HelpNet Security)
