Cloud security is once again being put to the test. This time, the impact is hitting companies that use Gainsight integrations inside the Salesforce ecosystem. What started as a limited alert about suspicious activity quickly escalated into a much broader incident, with additional customers affected and a known cybercriminal group claiming responsibility.
If you or your company depend on Salesforce integrations, this case is a clear warning: even your most trusted tools can become entry points for attackers if a third-party provider is compromised. At TecnetOne, we break down what you need to know and how to protect yourself.
The Incident: What Started Small… Isn’t Small Anymore
Gainsight revealed that the initial list of three compromised customers—originally communicated by Salesforce—was incomplete. After November 21, 2025, the company confirmed that the number of affected clients has grown, though they did not disclose the exact figure.
Gainsight CEO Chuck Ganapathi attempted to reassure the public, stating that “only a handful of customers have data truly affected.” However, the situation made it clear that the real impact is still being evaluated.
The alert originated when Salesforce detected unusual activity from Gainsight-published applications connected to its platform. To contain the incident, Salesforce revoked all access and refresh tokens associated with those apps.
Soon after, the cybercriminal group ShinyHunters—also known as Bling Libra—claimed responsibility for the breach.
Domino Effect: Other Platforms Disconnect Gainsight
To minimize risk, several providers that depend on Gainsight immediately took action:
- Zendesk temporarily suspended its integration.
- Gong.io did the same.
- HubSpot disconnected from Gainsight and confirmed no compromise.
- Google disabled OAuth clients with callback URIs containing gainsightcloud[.]com.
This highlights a growing pattern: when one provider is compromised, dependent integrations react quickly to prevent a supply-chain-style cascade attack.
Read more: Attacks on Salesforce: Hackers Target Accounts with Social Engineering
Which Gainsight Services Were Impacted?
Gainsight published a list of products whose read/write capabilities within Salesforce were temporarily suspended:
- Customer Success (CS)
- Community (CC)
- Northpass – Customer Education (CE)
- Skilljar (SJ)
- Staircase (ST)
Although Gainsight insisted Staircase had not been compromised, Salesforce cut its connection as a precaution while the investigation continues.
Indicators of Compromise: The First Clues
Salesforce and Gainsight both released IoCs related to the breach. One of the most notable was the user-agent:
“Salesforce-Multi-Org-Fetcher/1.0”
This same user-agent was seen in earlier activity linked to Salesloft Drift, suggesting shared tactics or tools among cybercriminal groups.
According to Salesforce:
- The earliest reconnaissance attempts came from IP 3.239.45[.]43 on October 23, 2025
- Additional waves of unauthorized access began on November 8
In practical terms: the attackers were active for weeks before detection and containment.
What You Should Do as a Customer to Protect Your Environment
Gainsight issued several recommended defensive steps. If you use Salesforce or any cloud integration, you should implement them immediately:
- Rotate all access keys
Including:
- S3 keys
- BigQuery credentials
- Zuora tokens
- Snowflake access
- Any connector used with Gainsight
- Connect directly to Gainsight NXT
Avoid doing so through Salesforce until the integration is fully restored.
- Reset passwords for NXT users
Especially those who do not use SSO.
4. Reauthorize all integrations and connected apps
Any tool that relies on tokens or credentials should receive new authorizations.
Gainsight clarified that these are preventive steps designed to protect customer environments during the ongoing investigation.
Similar titles: Lethal Hacker Alliance: ShinyHunters and Scattered Spider Strike
The Bigger Context: A Criminal Ecosystem Evolving Fast
This incident comes amid the rise of a new ransomware-as-a-service (RaaS) platform known as ShinySp1d3r (Sh1nySp1d3r), developed by an alliance between:
- Scattered Spider
- LAPSUS$
- ShinyHunters (SLSH)
According to ZeroFox, this alliance is behind over 51 cyberattacks in a single year.
More concerning than the number of attacks is the sophistication. ShinySp1d3r introduces techniques rarely seen in other RaaS operations:
- Hooks into EtwEventWrite to block Windows event logs
- Automatic termination of processes locking files to enable encryption
- Overwriting free disk space with random data to prevent recovery
- Targeting and encrypting shared network folders
- Lateral movement via SCM, WMI, and GPO
This combination shows that organized cybercrime is already operating with techniques once seen only in advanced APT teams.
Who Is Behind the Ransomware? A Human Twist No One Expected
Journalist Brian Krebs identified the ransomware’s developer as a core SLSH member known as “Rey” (@ReyXBF). He is one of the administrators of the group’s Telegram channel and previously ran BreachForums and the HellCat ransomware leak site.
His real identity: Saif Al-Din Khader.
Khader even claimed that ShinySp1d3r is a modified version of HellCat developed using AI-assisted tools. Most surprising of all: he says he has been cooperating with authorities since June 2025, raising the possibility of undercover operations or negotiated immunity.
What This Means for You: The Threat Isn’t Just in Your Systems—It’s in Your Providers
The Gainsight–Salesforce case highlights a growing reality:
Attackers aren’t just targeting you—they’re targeting your providers.
And if a provider falls, the breach can spread to:
- your users
- your data
- your automations
- your business-critical integrations
This is why, at TecnetOne, we emphasize the importance of:
- Third‑party risk assessments
- Integration security reviews
- OAuth permission auditing
- Frequent key and token rotation
- Behavioral monitoring across connected systems
Your chain is only as strong as the weakest link—and that weak link can easily be a provider you rarely examine.
