The cyber-attack targeting Gainsight has affected more Salesforce customers than initially expected.
In a customer FAQ, first posted on November 20 and regularly updated since, the customer support platform provider said Salesforce initially provided a list of three customers impacted by the breach.
Gainsight later found that the number “has been expanded to a larger list.”
The firm has not confirmed how many customers this list now contains. However, Gainsight told Infosecurity that the company “promptly notified the handful of affected customers,” suggesting that the number of affected customers remains limited.
Those affected were also notified of the incident by Salesforce on November 21.
Precautionary Measures Affecting Gainsight Applications
In the FAQ, Gainsight listed products for which the ability to read and write from Salesforce is temporarily unavailable due to precautionary measures. These include:
- Customer Success (CS)
- Community (CC)
- Northpass – Customer Education (CE)
- Skilljar (SJ)
- Staircase (ST)
Gainsight emphasized that Salesfroce removed the Staircase connection as a precautionary measure only and that there was no evidence that the application was affected by the breach.
“Staircase operates on a completely isolated and separate infrastructure from other Gainsight products, with no shared systems or data paths,” the company wrote.
Three additional companies, Gong.io, Zendesk and HubSpot, have also disabled their connectors to Gainsight applications “out of an abundance of caution.”
In a separate November 24 update, HubSpot stated that there is no evidence the company or its customers were affected by the attacks. However, as a precaution, its Gainsight integration will remain disabled until the investigation concludes.
Gainsight shares regular updates on its Gainsight Status site and host regular customer town halls, called Office Hours.
“We also have created solutions to help customers manage their Gainsight Customer Success instances while the Salesforce connected app remains offline,” the Gainsight spokesperson told Infosecurity.
Forensic Investigation Delivers Early Results
In a blog post addressing the incident, published on November 25, Gainsight’s CEO, Chuck Ganapathi, confirmed that Gainsight’s security, support, product, and customer success teams are working with Salesforce to investigate the incident.
Additionally, Gainsight has engaged Mandiant, Google Cloud’s incident response branch, to conduct an independent forensic investigation.
According to Salesforce’s indicators of compromise (IOCs), shared to customers and the public via the Gainsight FAQ, the first unauthorized access was achieved on November 8 via an AT&T IP address, alleged to conduct reconnaissance.
Salesforce then identified about twenty suspicious intrusions between November 16 and 23, which used a range of tools, including or and commercial VPN services (e.g. Mullvad, Surfshark).
Gainsight advised customers to restrict the identified IP addresses at the profile level.
The threat actors also leveraged Salesforce-Multi-Org-Fetcher/1.0, a technique observed in the Salesloft Drif attack.
Gainsight said it has taken several steps to harden its environment, including rotating multifactor credentials used to access VPN and critical systems.
Customers are being asked to:
- Rotate their S3 keys as a precautionary measure
- Log in to Gainsight NXT directly, rather than through Salesforce until the Salesforce Connected App functionality is fully restored
- Reset NXT user passwords for any users who do not authenticate via single sign-on (SSO)
- Re-authorize any connected applications or integrations that rely on user credentials or tokens
Gainsight also recommended users implement preventative actions outlined by Google Threat Intelligence Group (GTIG) in September 2025 to mitigate the threat of the Shiny Hunter-Scattered Spider-Lapssus$ collective.
Photo credits: Gainsight / JHVEPhoto / Shutterstock
Read more: Google Among Victims in Ongoing Salesforce Data Theft Campaign
