Thursday, November 27, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Gainsight CEO downplays breach, says only a ‘handful’ of customers had data stolen

TH Author

Gainsight CEO Chuck Ganapathi downplayed the victim count related to his company’s recent breach, saying he’s only aware of “a handful of customers” who had their data affected after Salesforce flagged unusual activity involving Gainsight’s connected app.

This contradicts what Google Threat Intelligence Group principal analyst Austin Larsen told The Register last week: “GTIG is aware of more than 200 potentially affected Salesforce instances.” Larsen also said ShinyHunters was “likely” behind the digital intrusion, which the extortion crew later confirmed to The Register.

Google’s Mandiant incident response team is assisting with the forensic investigation related to the breach.

Salesforce first disclosed the suspicious activity on November 19, and in response, revoked all access and refresh tokens associated with Gainsight-published applications connected to the CRM giant. 

In a Tuesday update and subsequent blog post by Ganapathi, the company said its forensic analysis continues and its Salesforce integration remains disabled, with no word on when the connected app will be back online.

“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Ganapathi said. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.” 

As of Wednesday, Gainsight was “investigating login issues for a subset of customers using GSuite for SSO.”

Gainsight did not respond to The Register‘s questions about the breach, including the discrepancy in affected customers and whether other connections were affected. In addition to Salesforce, the customer success platform integrates with several other CRMs, including HubSpot, as well as support tools like Zendesk.

Last week, both Zendesk and HubSpot revoked their connectors’ access to Gainsight.

Salesforce did not respond to The Register‘s inquiries, including how many of its customers were affected by the Gainsight breach. Its security advisory also includes a list of indicators of compromise that threat intel teams have linked to ShinyHunters, so network defenders should give those a close read.

“We know how critical Gainsight is to your daily operations, and we personally take the responsibility for ensuring you have access to our products,” Ganapathi wrote in the Tuesday blog post, adding that since learning of the breach, his company has hosted town halls and established teams to help customers manage their customer success instances while the Salesforce connection remains offline. 

“I will be sharing more details about this effort, including additional guidance and resources, on our Community page in the coming days,” he said. ®

READ MORE HERE