BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Gainsight Breach Wider Than Thought, Linked to ShinyHunters Ransomware

  • Gainsight reported that more customers were affected by the recent suspicious activity on its applications than initially identified.
  • Salesforce revoked all access and refresh tokens linked to Gainsight apps after detecting unusual activity.
  • The cybercrime group ShinyHunters (aka Bling Libra) claimed responsibility for the breach.
  • A new Ransomware-as-a-service platform named ShinySp1d3r is linked to the same actors involved in the Gainsight incident.
  • Customers are advised to follow security measures including rotating keys, resetting passwords, and reauthorizing connected apps.

Gainsight disclosed on November 27, 2025, that the suspicious activity affecting its applications impacted more customers than first reported. Initially, Salesforce listed three affected customers but has since expanded the list, though the exact number remains undisclosed. CEO Chuck Ganapathi stated that only a handful of customers had their data affected, according to the company’s update.

- Advertisement -

Salesforce detected unusual activity involving Gainsight-published applications connected to its platform. As a result, all access and refresh tokens were revoked. The breach was claimed by the cybercrime group ShinyHunters (also known as Bling Libra). Precautionary measures caused companies such as Zendesk, Gong.io, and HubSpot to suspend their Gainsight integrations temporarily, while Google disabled OAuth clients with callback URLs containing gainsightcloud[.]com. HubSpot reported no compromise to its systems or customers, detailed in their security advisory.

According to an FAQ released by Gainsight, the following products had their Salesforce read/write capabilities temporarily disabled: Customer Success (CS), Community (CC), Northpass – Customer Education (CE), Skilljar (SJ), and Staircase (ST). Gainsight clarified that Staircase was not affected, and Salesforce removed its connection out of caution during the ongoing investigation.

Both Salesforce and Gainsight have published indicators of compromise (IoCs), including the user agent string “Salesforce-Multi-Org-Fetcher/1.0,” linked to unauthorized access. Salesforce’s logs show reconnaissance efforts beginning from IP address “3.239.45[.]43” on October 23, 2025, with further unauthorized access waves starting November 8, as described in Salesforce’s security details.

Customers are recommended to secure their environments by rotating S3 bucket access keys and other connector credentials (e.g., BigQuery, Zuora, Snowflake), logging into Gainsight NXT directly rather than via Salesforce until integration is restored, resetting non-SSO user passwords, and reauthorizing all connected applications and integrations. Gainsight noted these steps are preventative while investigations continue.

- Advertisement -

The incident occurs amid the emergence of a ransomware-as-a-service (RaaS) platform called ShinySp1d3r, developed by the alliance of Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). Data from ZeroFox indicates this group has conducted over 50 cyberattacks in the past year. ShinySp1d3r includes advanced functions like disabling Windows Event Viewer logging, terminating processes that block encryption, and overwriting deleted files with random data.

The ransomware can also search and encrypt open network shares and spread to other devices locally via deployViaSCM, deployViaWMI, and attemptGPODeployment techniques.

An independent Cybersecurity journalist, Brian Krebs, identified the ransomware’s developer as “Rey,” a core SLSH figure, who revealed that ShinySp1d3r is based on the HellCat ransomware, enhanced with Artificial Intelligence tools. Rey, whose real name is Saif Al-Din Khader, has reportedly cooperated with law enforcement since mid-2025, as reported in Krebs’s detailed article.

Palo Alto Networks Unit 42 researcher Matt Brady commented that the combination of ransomware and extortion-as-a-service offerings make SLSH a significant threat, with insider recruitment adding further risk layers, as outlined in Unit 42’s report.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Bitcoin Data Strong Amid Selling and Yield Fears

Despite a zero ByteTrend score, the Bitcoin network's weekly on-chain transaction value is $13.5...

Ohio County Paid $1M After Data Heist

Union County, Ohio, paid roughly $1 million in Bitcoin to the cyber group Kairos...

Bitcoin’s 2026 Outlook: Sideways Trading Before Any Big Rally

Bitcoin is currently trading between $58,000 and $62,000, a steep drop from its October...

North Korean PolinRider Hackers Publish 108 Malicious Packages

North Korean-linked threat actors, known as Contagious Interview, have expanded their PolinRider supply-chain campaign...

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Must Read

Buy Domain With Bitcoin: Top 8 Domain Registrars That Accept Bitcoin And Crypto

You are here because you want to buy a domain with bitcoin, right? If you are looking for domain registrars that accept bitcoin or...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading