The number of Salesforce customers affected by the recent compromise of Gainsight-published applications is yet to be publicly confirmed, but Salesforce released indicators of compromise (IoCs) and simultaneously shed some light on when the attack likely started.
The provided list includes IP addresses and User Agents, showing that the first reconnaissance and unauthorized access activity started on November 8.
The rest of the suspicious intrusions happened between November 16 and 23, from IP addresses associated with a variety of commercial VPN services, the Tor network, and AWS.
The malicious user agents strings included in the list are there because they are “not an expected user agent string used by Gainsight connected app”. One of them – Salesforce-Multi-Org-Fetcher/1.0 – has been leveraged by the attackers for unauthorized access and has also observed in the Salesloft Drift attack.
Salesforce warned that additional IoCs may be yet discovered and published, and urged all customers to review logs for any unexpected activity related to the Gainsight connection to Salesforce.
“Salesforce’s revocation of the Gainsight application’s OAuth tokens does NOT delete your historical audit trails or hinder your ability to investigate this incident. All Setup Audit Trail entries, Event Monitoring logs, and API activity records remain intact and accessible,” the company said.
Gainsight has published an even longer list of IoC IP addresses, and confirmed that the right way to investigate a potential intrusion is to focus on the Salesforce logs, as they show authentication attempts and API calls originating from the Gainsight Connected App.
Customer advice from Gainsight
Salesforce has temporarily disabled the connection between all Gainsight-published applications and Salesforce.
The investigation into the compromise is still ongoing, performed by Salesforce, Gainsight and Mandiant analysts.
Gainsight says that, in the meantime, they have taken steps to further harden their environment, and advised customers to:
- Rotate the S3 bucket access keys used for connections with Gainsight.
- Log in to Gainsight NXT directly, rather than through Salesforce until the Salesforce Connected App functionality is fully restored.
- Reset NXT user passwords for any users who do not authenticate via SSO.
- Re-authorize any connected applications or integrations that rely on user credentials or tokens.
“Salesforce initially provided a list of 3 impacted customers which has (as of Nov 21) been expanded to a larger list,” a Gainsight employee confirmed. The company’s CEO Chuck Ganapathi says that they “presently know of only a handful of customers who had their data affected.”
Breach claimed by Shiny Hunters
Shiny Hunters, the cyber extortion collective that claimed this attack and the Salesloft Drift attack before it, claimed to have had access to Gainsight for nearly 3 months. (Gainsight was one of victims of the Salesloft Drift attack.)
“At time of publication, Unit 42 had yet to identify any communications by the threat actors claiming to have leaked information related to their alleged Gainsight data theft campaign,” Palo Alto Networks threat researcher Matt Brady noted.
“However, they did post the following message to their Telegram channel on Nov. 24, 2025: ‘pretty sure the 2025 victim count by us in total is ~1.5k (1000 already publicly reported) and still increasing’.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
