Gainsight disabled its Salesforce, HubSpot, and Zendesk connections after the ShinyHunters group breached the firm, potentially exposing over 200 customer records.
Gainsight, a customer retention and efficiency software company, announced it has temporarily paused connections to both Zendesk and HubSpot following a high-profile supply chain attack targeting its integration with Salesforce.
The attack, which Google Threat Intelligence Group links to the ShinyHunters threat group, has potentially compromised data from over 200 Salesforce customer instances connected through the Gainsight application. This follows a similar attack in August that targeted the Salesloft Drift integration.
Salesforce launched its own investigation last week and, as a security precaution, has revoked all active and refresh tokens linked to Gainsight-published applications. This action has impacted several Gainsight products, including Community, Skilljar, and Northpass, which can no longer read or write data from the Salesforce platform. Integrations with Gong have also been deactivated.
Salesforce has consistently maintained that the incident does not stem from a vulnerability within its core platform but rather from the app’s external connection.
Also Read: The Unified Security Approach MSPs Need Now
Containment and Forensics
Gainsight has engaged Mandiant, the incident response arm of Google’s threat intelligence group, to conduct a forensic review of logs, tokens, and connector activity. The firm has taken internal steps to harden its environment, including rotating multi-factor credentials for critical systems, and has asked customers to rotate their S3 keys as a precautionary measure.
HubSpot confirmed that while its own infrastructure shows no evidence of compromise, its integration with Gainsight will remain deactivated until the investigation is complete.
The attacks highlight the growing risk of supply chain compromise in the Software-as-a-Service (SaaS) ecosystem, where a single breach in a third-party application can provide unauthorized access to data across numerous trusted customer environments. The ShinyHunters group has previously attempted to extort Salesforce using data stolen in earlier campaigns.
