FINRA Cybersecurity Alert – Salesforce Gainsight Security Incident
Potential Impact: All Firms
FINRA member firms should be aware of a security incident involving Gainsight, a customer success and customer management platform that integrates with Salesforce CRM. Given the third- and fourth-party risk the incident poses to member firms, FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel as well as with any third-party vendors that may also leverage the services of Gainsight.
Summary
Threat actor group ShinyHunters1 claims to have used compromised Gainsight tokens to access data of hundreds of organizations, and shared screenshots of data allegedly from internal systems of major tech companies. Salesforce confirmed the breach resulted in unauthorized access to sensitive data about its customers between Oct. 23 and Nov. 19, 2025.
Salesforce claims the issue was not related to any vulnerability in the Salesforce platform itself, but rather from compromised connections between the Gainsight application and Salesforce. Salesforce has since re-enabled integrations with Gainsight, and Gainsight has stated that they have identified compromised customer tokens and have notified the impacted customers to provide support.
Member firms should be aware that if they or a third-party vendor use Salesforce, their data could have been accessed or exfiltrated if they had an active Gainsight integration during the above-stated timeframe. Similar to the 2025 attack campaign involving the third-party platform Salesloft Drift,2 the stolen data could be used to target member firm customers.
Note: FINRA contacted firms that indicated through FINRA’s Third-Party Vendor Questionnaire a vendor relationship with Gainsight (via a fourth-party relationship to Gainsight through member firms’ technology stack), or that FINRA identified as having a potential technology link with the vendor.
Recommendation to Protect Your Firm
To protect against this vulnerability, FINRA recommends member firms discuss with their critical technology vendors if they have been impacted by the incident, and if so, determine if the firm’s data are potentially impacted and what steps the vendor has taken to remediate and contain the incident.
Member firm vendors that use Gainsight are encouraged to take immediate steps to protect their environments.3
- Audit Logs: Conduct a forensic review of Salesforce login history and API usage logs for the Gainsight integration user from Oct. 23, 2025, through Nov. 20, 2025.4, 5 Specifically, look for:
- bulk data exports (such as SOQL queries on Contacts, Accounts, Cases);
- access from unrecognized IP addresses, particularly those associated with VPN proxy services (Mullvad, Surfshark, NSocks, IProxyShop, Nexx, ProxySeller, Proton, Tor);
- unexpected user agent strings, including “python-requests,” “python/3.11 aiohttp,” or “Salesforce-Multi-Org-Fetcher/1.0” (also observed in the Salesloft Drift campaign); and
- API activity from AWS IP addresses that appears unrelated to your organization's legitimate operations (see the Salesforce security advisory for specific IOCs).
- bulk data exports (such as SOQL queries on Contacts, Accounts, Cases);
- Credential Rotation: If your organization stored sensitive secrets (e.g., AWS keys, database passwords, API tokens) in Salesforce fields accessible to Gainsight, rotate them immediately.6
- Controlled Re-integration: Salesforce initially disabled connections to Gainsight, but has since re-enabled these integrations. Ensure you receive and install any security updates from Gainsight before re-establishing the integration.7
- Review Permissions: Upon future re-installation, strictly apply the Principle of Least Privilege, ensuring the app receives only the minimum necessary OAuth scopes.8
FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:
- FINRA using the Regulatory Tip Form found on FINRA.org;
- the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
- the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324).
Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).
Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.
1 ShinyHunters is a financially motivated threat actor group with links to the Scattered Spider group, known to target high-profile organizations through social engineering and ransomware campaigns. Unlike traditional ransomware groups, it focuses not only on encrypting systems but also on stealing sensitive corporate data for extortion purposes. ShinyHunters and Scattered Spider continue to conduct financially motivated operations targeting business networks strategically, with a global impact as of 2025.
2 See FINRA Cybersecurity Alert – Salesloft Drift AI Supply Chain Attack.
3 This recommendation follows one category of the “DETECT (DE)” core function of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework (CSF) 2.0: “DE.CM-06: External service provider activities and services are monitored to find potentially adverse events.” The NIST CSF 2.0 provides guidance to industry, government agencies and other organizations to help them better understand, assess, prioritize and communicate their cybersecurity efforts and manage cybersecurity risks; it describes the core functions, categories and identifiers for each.
4 This recommendation follows one core function and category of NIST CSF 2.0: “DE.AE-06: Information on adverse events is provided to authorized staff and tools.”
5 Salesforce has confirmed that all Setup Audit Trail entries, Event Monitoring logs, and API activity records remain intact and accessible despite token revocation.
6 This recommendation follows one core function and category of NIST CSF 2.0: “DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.”
7 This recommendation follows one category of the “RECOVER (RC)” core function and category of NIST CSF 2.0: “RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration.”
8 This recommendation follows one core function and category of NIST CSF 2.0: “PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.”