Skip to main content
close search
site logo

Gainsight says additional applications put on hold after Salesforce customers breached

Zendesk and Hubspot have taken their integrations offline.

Published Nov. 24, 2025
David Jones's headshot
Reporter
Workers in a HubSpot office
Workers in an office with an orange wall behind depicting a view of the HubSpot logo. The company’s integration with Gainsight is on hold until an investigation into a supply chain attack involving Salesforce customers is concluded. Courtesy of HubSpot

Gainsight on Monday said connections to Zendesk and Hubspot have been temporarily paused following a supply chain attack targeting its integration with Salesforce. 

Last week, Salesforce launched an investigation into an attack targeting its connection with Gainsight, a software company that helps companies improve customer retention and efficiency. 

Researchers at Google Threat Intelligence Group last week said the ShinyHunters threat group is linked to more than 200 cases where Salesforce customer data may have been breached through the Gainsight connection. 

As the investigation moves forward, Salesforce revoked all active and refresh tokens that were linked to Gainsight-published applications. 

Multiple Gainsight products have been impacted, including Community - CC, Skilljar - SJ and Northpass - CE, according to an updated security post from Gainsight. The products remain operational, but they cannot currently read and write from Salesforce, according to the Gainsight post. 

Gainsight said that integrations to Gong have also been deactivated. 

Gainsight said it has taken several steps to harden its environment, including rotating multifactor credentials used to access VPN and critical systems. 

Customers are being asked to rotate their S3 keys as a precautionary measure. 

Hubspot said there is no evidence the company or Hubspot customers have been impacted by the attacks. However, its the Gainsight integration will remain deactivated until the investigation is complete. 

Mandiant, the incident response arm of GTIG, is conducting a forensic review of tokens, logs and Connector activity, according to Gainsight. 

Salesforce on Saturday reiterated that the attack appears to be linked to the app’s external connection to Salesforce and not any vulnerability in the Salesforce platform. Salesforce customers were previously targeted in an August attack using an integration with Salesloft Drift.

In October, hackers attempted to shake down Salesforce using data stolen in a couple of different campaigns, including the Salesloft Drift attacks. Salesforce said it would not submit to the demands.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
U.S. Businesses Call for Government Action to Protect Against AI Threat
From AND Digital
November 24, 2025
Nudge Security Raises $22.5M Series A to Secure Workforce AI and SaaS
From Nudge Security
November 18, 2025
Nudge Security logo
The Silent Majority of Exploits: When Cyber Defenders Are Blind to 88% of Real Attacks
From Jake Smiths
November 19, 2025
VISO TRUST Deepens Commitment to Customers with CEO Transition and New Customer Officer
From VISO TRUST
November 20, 2025
VISO TRUST logo
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.