Gainsight Breach Wider Than Thought, Linked to ShinyHunters Ransomware

Gainsight disclosed on November 27, 2025, that the suspicious activity affecting its applications impacted more customers than first reported. Initially, Salesforce listed three affected customers but has since expanded the list, though the exact number remains undisclosed. CEO Chuck Ganapathi stated that only a handful of customers had their data affected, according to the company’s update.

Salesforce detected unusual activity involving Gainsight-published applications connected to its platform. As a result, all access and refresh tokens were revoked. The breach was claimed by the cybercrime group ShinyHunters (also known as Bling Libra). Precautionary measures caused companies such as Zendesk, Gong.io, and HubSpot to suspend their Gainsight integrations temporarily, while Google disabled OAuth clients with callback URLs containing gainsightcloud[.]com. HubSpot reported no compromise to its systems or customers, detailed in their security advisory.

According to an FAQ released by Gainsight, the following products had their Salesforce read/write capabilities temporarily disabled: Customer Success (CS), Community (CC), Northpass – Customer Education (CE), Skilljar (SJ), and Staircase (ST). Gainsight clarified that Staircase was not affected, and Salesforce removed its connection out of caution during the ongoing investigation.

Both Salesforce and Gainsight have published indicators of compromise (IoCs), including the user agent string “Salesforce-Multi-Org-Fetcher/1.0,” linked to unauthorized access. Salesforce’s logs show reconnaissance efforts beginning from IP address “3.239.45[.]43” on October 23, 2025, with further unauthorized access waves starting November 8, as described in Salesforce’s security details.

Customers are recommended to secure their environments by rotating S3 bucket access keys and other connector credentials (e.g., BigQuery, Zuora, Snowflake), logging into Gainsight NXT directly rather than via Salesforce until integration is restored, resetting non-SSO user passwords, and reauthorizing all connected applications and integrations. Gainsight noted these steps are preventative while investigations continue.

The incident occurs amid the emergence of a ransomware-as-a-service (RaaS) platform called ShinySp1d3r, developed by the alliance of Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). Data from ZeroFox indicates this group has conducted over 50 cyberattacks in the past year. ShinySp1d3r includes advanced functions like disabling Windows Event Viewer logging, terminating processes that block encryption, and overwriting deleted files with random data.

The ransomware can also search and encrypt open network shares and spread to other devices locally via deployViaSCM, deployViaWMI, and attemptGPODeployment techniques.

An independent Cybersecurity journalist, Brian Krebs, identified the ransomware’s developer as “Rey,” a core SLSH figure, who revealed that ShinySp1d3r is based on the HellCat ransomware, enhanced with Artificial Intelligence tools. Rey, whose real name is Saif Al-Din Khader, has reportedly cooperated with law enforcement since mid-2025, as reported in Krebs’s detailed article.

Palo Alto Networks Unit 42 researcher Matt Brady commented that the combination of ransomware and extortion-as-a-service offerings make SLSH a significant threat, with insider recruitment adding further risk layers, as outlined in Unit 42’s report.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Pi Coin Outperforms Bitcoin with 9% Weekly Rally Boost
• XRP ETFs Soar with $130M Launch, Surpassing Solana’s Debut
• Tesla China VP Denies Shift Away From China-Made Parts In U.S.
• World Federation urges SEC to limit crypto tokenized stock exemptions
• Alphabet Shares Surge on Gemini 3 AI, Near $4T Market Cap