While fiddling around within the Gainsight Weekly Usage Highlights I’ve discovered that it’s quite easy to manipulate the filters to see emails of what only can be explained as all users of Gainsight from all customers. Not contacts and not just our end-users. Literally anyone who has ever touched Gainsight...
Kenneth R2 months ago
Thank you again for flagging this @Tomas Trijonis. We have investigated and can acknowledge that there was an issue. To clarify, the contacts from Gainsight customer instances were not exposed - rather, it was some contacts from Gainsight’s own instance of CS that were visible through the email filter. We have now implemented a fix. We’re evaluating the impact and will share more details as needed.
While fiddling around within the Gainsight Weekly Usage Highlights I’ve discovered that it’s quite easy to manipulate the filters to see emails of what only can be explained as all users of Gainsight from all customers. Not contacts and not just our end-users. Literally anyone who has ever touched Gainsight...
Thank you again for flagging this @Tomas Trijonis. We have investigated and can acknowledge that there was an issue. To clarify, the contacts from Gainsight customer instances were not exposed - rather, it was some contacts from Gainsight’s own instance of CS that were visible through the email filter. We have now implemented a fix. We’re evaluating the impact and will share more details as needed.
@Kenneth R As part of the impact analysis can you include how long this data was exposed and confirm what types of contacts are included in Gainsight’s instance?
Hi everyone, following the completion of our internal investigation, we wanted to share an additional follow-up here. As mentioned earlier, contacts from Gainsight customer instances were not exposed. Some contacts from Gainsight’s own instance of CS were visible through the email field's equal filter in the 'Feature Usage' report. Based on our internal logs before we rolled out the fix, a total of 115 requests of the API were made, all by two users from the same company that reported the issue to us. Following the fix that we deployed on Thursday we are immediately taking further steps to prevent this from happening again in the future.
If you ever had a profile with us, there's no need to create another one. Don't worry if your email address has since changed, or you can't remember your login, just let us know at community@gainsight.com and we'll help you get started from where you left.
Else, please continue with the registration below.