Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Gainsight hit by network compromise

Incident
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

Gainsight disclosed a customer-impacting unauthorized access incident in its Salesforce-connected applications, and the scope has expanded to more customers than first thought. Salesforce initially identified 3 impacted customers and later expanded the list on November 21, 2025, while Gainsight said only a handful are known to have had data affected. Salesforce revoked all associated access and refresh tokens, and downstream integrations were temporarily suspended to contain the event. Reconnaissance tied to the abuse was first recorded from 3.239.45[.]43 on October 23, 2025, with additional waves starting November 8.

Related Happenings

7-Eleven franchisee-docs and Salesforce data leak

Data Leak
First: 18.05.2026 14:25 Last: 18.05.2026 14:25 Sources 1

About this happening: **7-Eleven** confirmed a **April 8, 2026** intrusion into systems used to store **franchisee documents**, and **ShinyHunters** later claimed the theft of **more than 600,000 Sales...

Latest development: 26.05.2026 10:01

Have I Been Pwned analyzed the leaked 7-Eleven data and estimated that the breach exposed personal information for 185,300 people, including names, dates of birth, unique email addresses, phone numbers, and physical addresses. The exposed archive was tied to ShinyHunters' extortion campaign against 7-Eleven and followed the group's leak-site posting after ransom demands were not met.

Open Happening

West Pharmaceutical Services Inc. hit by data theft breach

Incident
First: 14.05.2026 01:23 Last: 14.05.2026 01:23 Sources 1

About this happening: West Pharmaceutical Services disclosed a **cyberattack** that **exfiltrated data** and **encrypted systems**, disrupting **global operations** and increasing recovery risk. The co...

Open Happening

Optimizely hit by network compromise

Incident
First: 23.02.2026 20:04 Last: 23.02.2026 20:04 Sources 1

About this happening: **Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...

Open Happening

ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps

Campaign
First: 21.11.2025 07:32 Last: 21.11.2025 07:32 Sources 1

How related: The development comes as Salesforce warned of detected "unusual activity" related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them.

About this happening: The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...

Open Happening

Salesforce hit by network compromise

Incident
First: 20.11.2025 18:47 Last: 20.11.2025 18:47 Sources 1

About this happening: **Salesforce** revoked **refresh tokens** and temporarily removed **Gainsight-published applications** after detecting **unusual activity** that may have enabled **unauthorized ac...

Open Happening

Timeline

  1. 27.11.2025 09:03 1 articles · 6mo ago

    Reconaissance against Gainsight-connected access paths begins

    Exploitation Observed

    Salesforce recorded reconnaissance against customers with compromised Gainsight access tokens from 3.239.45[.]43 on October 23, 2025, marking the first observed probing of the Gainsight-Salesforce access path.

    Show sources
    Open in new tab
  2. 27.11.2025 09:03 1 articles · 6mo ago

    Additional unauthorized access waves extend the Gainsight activity

    Campaign Scope Update

    Additional waves of reconnaissance and unauthorized access against customers with compromised Gainsight access tokens started on November 8, 2025, indicating the activity continued beyond the initial probe and broadened in scope.

    Show sources
    Open in new tab
  3. 27.11.2025 09:03 2 articles · 6mo ago

    Gainsight and Salesforce expand the list of impacted customers

    Initial Disclosure

    Salesforce initially provided a list of 3 impacted customers and expanded it to a larger list as of November 21, 2025, while Gainsight said only a handful of customers were known to have had data affected and Salesforce revoked all access and refresh tokens for Gainsight-published applications. Gainsight also said read and write access from Salesforce was temporarily unavailable for Customer Success (CS), Community (CC), Northpass - Customer Education (CE), Skilljar (SJ), and Staircase (ST), with downstream integrations temporarily suspended by Zendesk, Gong.io, HubSpot, and Google taking precautionary action against callback URIs like gainsightcloud[.]com.

    Show sources
    Open in new tab