Overview
- Gainsight says Salesforce’s initial list of three impacted customers expanded, yet its CEO maintains only a handful have confirmed data theft.
- Google Threat Intelligence Group reported awareness of more than 200 potentially affected Salesforce instances, underscoring uncertainty over the true scale.
- Salesforce disabled Gainsight-published app connections, revoked all related tokens, and released indicators of compromise detailing activity from at least November 8 through November 23.
- Gainsight engaged Mandiant to lead forensic work, while vendors including HubSpot, Zendesk, and Gong.io paused integrations as a precaution and reported no evidence of impact to their own systems.
- Customers are urged to reauthorize integrations, rotate credentials such as S3 keys, reset non-SSO passwords, restrict listed IPs, and focus investigations on Salesforce audit and API logs; researchers link the activity to ShinyHunters.