Executive Summary
- Gainsight confirms the cyber-attack has affected more Salesforce customers than the three initially reported.
- Integrations for products including Customer Success and Northpass have been disabled as a precaution.
- Third-party platforms like HubSpot and Zendesk have suspended connections to Gainsight.
- Mandiant has been engaged for forensics; attackers used commercial VPNs and specific data-fetching tools.
A cyber-attack targeting the customer success platform Gainsight has affected a larger number of Salesforce customers than initially identified, prompting emergency security measures and an expanded forensic investigation. According to updated disclosures from Gainsight, the breach, which was first thought to be contained to three clients, has now been confirmed to impact a broader list of organizations utilizing the company’s software integrations.
Gainsight initially reported on November 20 that Salesforce had provided a list of three customers impacted by the security breach. However, in subsequent updates to a customer FAQ, the company acknowledged that the number of affected entities “has been expanded to a larger list.” While Gainsight has not released the specific number of additional victims, a spokesperson told Infosecurity Magazine that the company has “promptly notified the handful of affected customers,” indicating the total number remains relatively limited. Salesforce reportedly notified the affected parties directly on November 21.
In response to the intrusion, connections between several Gainsight applications and Salesforce have been temporarily disabled. Impacted products include Customer Success (CS), Community (CC), Northpass, Skilljar, and Staircase. Gainsight noted that Salesforce removed the Staircase connection strictly as a precautionary measure, stating there is currently no evidence that the Staircase application—which operates on isolated infrastructure—was compromised.
The incident has triggered a ripple effect across the SaaS ecosystem, with major platforms such as Gong.io, Zendesk, and HubSpot disabling their connectors to Gainsight applications out of an abundance of caution. In a November 24 update, HubSpot confirmed that while there is no evidence its own systems were affected, the integration will remain disabled until the investigation concludes. Gainsight CEO Chuck Ganapathi stated in a blog post that the company has engaged Mandiant, a Google Cloud incident response firm, to conduct an independent forensic investigation alongside Salesforce’s internal teams.
According to indicators of compromise (IOCs) shared by Salesforce, the attackers first gained unauthorized access on November 8 via an AT&T IP address to conduct reconnaissance. Approximately twenty suspicious intrusions were identified between November 16 and November 23, utilizing commercial VPN services and anonymizing tools. The threat actors reportedly leveraged a technique involving the “Salesforce-Multi-Org-Fetcher/1.0” tool. Gainsight is currently advising customers to rotate API keys and credentials as the company works to harden its environment against the threat group, which shares tactics with the Shiny Hunter-Scattered Spider-Lapssus$ collective.
Operational Security Analysis
This incident underscores the compounding risks associated with highly interconnected Software-as-a-Service (SaaS) environments, where a breach in one vendor can necessitate defensive shutdowns across multiple major platforms. The rapid preventative actions taken by third parties like HubSpot and Zendesk highlight a shift toward aggressive containment strategies in supply chain security. As forensic teams identify specific attack vectors such as the Salesforce-Multi-Org-Fetcher, the focus for corporate security leaders will likely shift toward stricter auditing of API permissions and cross-platform integrations to mitigate lateral movement during such breaches.
