Gainsight has confirmed that the recent suspicious activity involving its applications has affected more users than initially reported. The update follows a security alert issued by Salesforce regarding abnormal behavior linked to Gainsight published apps.
More Customers Affected Than First Reported
Salesforce originally identified three customers as impacted, but according to Gainsight, the list grew significantly as of November 21, 2025. The company did not disclose the exact number of victims. However, CEO Chuck Ganapathi stated that only a small number of customers experienced data exposure.
Salesforce Revokes Tokens After Detecting Unusual Activity
Salesforce reported detecting unusual behavior from applications published by Gainsight. In response, Salesforce revoked all access and refresh tokens associated with these applications. The incident was later claimed by the cybercrime group ShinyHunters, also known as Bling Libra.
Several companies have taken preventive actions. Zendesk, Gong dot io, and HubSpot temporarily suspended their integrations with Gainsight. Google also disabled OAuth clients that used callback URLs like gainsightcloud[.]com. HubSpot added that it found no indication of compromise within its own systems or customer environment.
Temporary Restrictions on Several Gainsight Products
Gainsight listed the products that temporarily lost the ability to read and write Salesforce data:
- Customer Success (CS)
- Community (CC)
- Northpass, Customer Education (CE)
- Skilljar (SJ)
- Staircase (ST)
The company clarified that Staircase itself was not compromised. Salesforce disabled its connection only as a precaution during the ongoing investigation.
Indicators of Compromise Released
Both Salesforce and Gainsight released IoCs for customers. One notable indicator was the user agent string Salesforce Multi Org Fetcher slash 1.0, which has been linked to unauthorized access attempts. The same string was previously observed in activity associated with Salesloft Drift.
Salesforce reported that reconnaissance attempts using compromised Gainsight access tokens began on October 23, 2025, originating from the IP address 3.239.45[.]43. Additional waves of unauthorized access started on November 8.
Recommended Steps for Customers
To strengthen security during the investigation, Gainsight recommended the following actions:
- Rotate S3 bucket access keys and other connectors like BigQuery, Zuora, and Snowflake.
- Sign in to Gainsight NXT directly rather than through Salesforce until services return to normal.
- Reset passwords for NXT users who do not authenticate through SSO.
- Re authorize any connected applications that depend on tokens or user credentials.
Gainsight emphasized that these steps are strictly precautionary.
New Ransomware Platform Linked to the Attackers
The situation escalates as researchers track a new ransomware as a service framework named ShinySp1d3r or Sh1nySp1d3r. It is reportedly being developed by members of Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). ZeroFox data shows that this alliance has executed at least 51 cyberattacks within a year.
ShinySp1d3r includes several advanced features, for example:
- Intercepting the EtwEventWrite function which prevents logging in Windows Event Viewer
- Killing processes that keep files open to ensure encryption proceeds
- Filling unused disk space with random data in a temp file to overwrite previously deleted data
- Searching for open network shares and encrypting them
- Spreading inside networks using deployViaSCM, deployViaWMI, and attemptGPODeployment
Developer of ShinySp1d3r Allegedly Identified
Cybersecurity reporter Brian Krebs published information that the developer of the ransomware is a core SLSH member known as Rey (aka @ReyXBF). His identity has been revealed as Saif Al Din Khader. Rey claims ShinySp1d3r is a modified version of HellCat ransomware built with the assistanCustomer Cabinetce of artificial intelligence. He also claims he has been cooperating with law enforcement since June 2025.
Experts warn that the combination of ransomware services and extortion services makes SLSH highly dangerous. According to Matt Brady from Palo Alto Networks Unit 42, the group can target organizations through multiple monetization channels, and their practice of recruiting insiders increases the risk for companies.
