Gainsight CEO downplays breach, says only a 'handful' of customers had data stolen
(2025/11/26)
- Reference: 1764189451
- News link: https://www.theregister.co.uk/2025/11/26/gainsight_ceos_handful_customers_data_stolen/
- Source link:
Gainsight CEO Chuck Ganapathi downplayed the victim count related to his company's recent breach, saying he's only aware of "a handful of customers" who had their data affected after Salesforce flagged unusual activity involving Gainsight's connected app.
This contradicts what Google Threat Intelligence Group principal analyst Austin Larsen [1]told The Register last week: "GTIG is aware of more than 200 potentially affected Salesforce instances." Larsen also said ShinyHunters was "likely" behind the digital intrusion, which the [2]extortion crew later confirmed to The Register .
Google's Mandiant incident response team is assisting with the forensic investigation related to the breach.
[3]
Salesforce first disclosed the suspicious activity on November 19, and in response, revoked all access and refresh tokens associated with Gainsight-published applications connected to the CRM giant.
[4]
[5]
In a Tuesday update and subsequent blog post by Ganapathi, the company said its forensic analysis continues and its Salesforce integration remains disabled, with no word on when the connected app will be back online.
"While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected," Ganapathi [6]said . "Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them."
[7]
As of Wednesday, Gainsight was " [8]investigating login issues for a subset of customers using GSuite for SSO."
[9]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[10]ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago
[11]Take this rob and shove it! Salesforce issues stern retort to ransomware extort
[12]How big will this Drift get? Cloudflare cops to Salesloft Drift breach
Gainsight did not respond to The Register 's questions about the breach, including the discrepancy in affected customers and whether other connections were affected. In addition to Salesforce, the customer success platform integrates with several other CRMs, including HubSpot, as well as support tools like Zendesk.
Last week, both Zendesk and HubSpot revoked their connectors' access to Gainsight.
Salesforce did not respond to The Register 's inquiries, including how many of its customers were affected by the Gainsight breach. Its [13]security advisory also includes a list of indicators of compromise that threat intel teams have linked to ShinyHunters, so network defenders should give those a close read.
"We know how critical Gainsight is to your daily operations, and we personally take the responsibility for ensuring you have access to our products," Ganapathi wrote in the Tuesday blog post, adding that since learning of the breach, his company has hosted town halls and established teams to help customers manage their customer success instances while the Salesforce connection remains offline.
[14]
"I will be sharing more details about this effort, including additional guidance and resources, on our Community page in the coming days," he said. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[2] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.gainsight.com/blog/supporting-our-customers-and-community-an-update-on-the-recent-security-advisory-related-to-gainsight/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://status.gainsight.com/?_gl=1*118nhtj*_gcl_au*MjAyMzY5NzYxNS4xNzYzNjY1MzU2
[9] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[10] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[12] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[13] https://help.salesforce.com/s/articleView?id=005229029&type=1
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
This contradicts what Google Threat Intelligence Group principal analyst Austin Larsen [1]told The Register last week: "GTIG is aware of more than 200 potentially affected Salesforce instances." Larsen also said ShinyHunters was "likely" behind the digital intrusion, which the [2]extortion crew later confirmed to The Register .
Google's Mandiant incident response team is assisting with the forensic investigation related to the breach.
[3]
Salesforce first disclosed the suspicious activity on November 19, and in response, revoked all access and refresh tokens associated with Gainsight-published applications connected to the CRM giant.
[4]
[5]
In a Tuesday update and subsequent blog post by Ganapathi, the company said its forensic analysis continues and its Salesforce integration remains disabled, with no word on when the connected app will be back online.
"While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected," Ganapathi [6]said . "Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them."
[7]
As of Wednesday, Gainsight was " [8]investigating login issues for a subset of customers using GSuite for SSO."
[9]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[10]ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago
[11]Take this rob and shove it! Salesforce issues stern retort to ransomware extort
[12]How big will this Drift get? Cloudflare cops to Salesloft Drift breach
Gainsight did not respond to The Register 's questions about the breach, including the discrepancy in affected customers and whether other connections were affected. In addition to Salesforce, the customer success platform integrates with several other CRMs, including HubSpot, as well as support tools like Zendesk.
Last week, both Zendesk and HubSpot revoked their connectors' access to Gainsight.
Salesforce did not respond to The Register 's inquiries, including how many of its customers were affected by the Gainsight breach. Its [13]security advisory also includes a list of indicators of compromise that threat intel teams have linked to ShinyHunters, so network defenders should give those a close read.
"We know how critical Gainsight is to your daily operations, and we personally take the responsibility for ensuring you have access to our products," Ganapathi wrote in the Tuesday blog post, adding that since learning of the breach, his company has hosted town halls and established teams to help customers manage their customer success instances while the Salesforce connection remains offline.
[14]
"I will be sharing more details about this effort, including additional guidance and resources, on our Community page in the coming days," he said. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[2] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.gainsight.com/blog/supporting-our-customers-and-community-an-update-on-the-recent-security-advisory-related-to-gainsight/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://status.gainsight.com/?_gl=1*118nhtj*_gcl_au*MjAyMzY5NzYxNS4xNzYzNjY1MzU2
[9] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[10] https://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[12] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[13] https://help.salesforce.com/s/articleView?id=005229029&type=1
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGggbWphp7PPTXqkCzRQAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
Anonymous Coward
He's from India. There are 1.5B people there. 1000000 would be 'a small number' to him.
Bullshit figures
IGotOut
It's like saying "Only one customer had their devices compromised", to only find the one customer is the NHS and a million or so people are affected.
That approach is disrespectful to the customers. It may only be a few percent of his customers but for each of those customers it's 100%.