While fiddling around within the Gainsight Weekly Usage Highlights I’ve discovered that it’s quite easy to manipulate the filters to see emails of what only can be explained as all users of Gainsight from all customers. Not contacts and not just our end-users. Literally anyone who has ever touched Gainsight...
 

 

Needs fixing ASAP. 

Hi, thank you for flagging!  We’re looking into it and will follow-up asap.

Oh my… I liked but you know, I don’t actually like this 

Thank you again for flagging this @Tomas Trijonis.  We have investigated and can acknowledge that there was an issue. To clarify, the contacts from Gainsight customer instances were not exposed - rather, it was some contacts from Gainsight’s own instance of CS that were visible through the email filter. We have now implemented a fix. We’re evaluating the impact and will share more details as needed.

Follow to get an update on the fix. Massive privacy concerns here.

@Kenneth R As part of the impact analysis can you include how long this data was exposed and confirm what types of contacts are included in Gainsight’s instance?

Hi everyone, following the completion of our internal investigation, we wanted to share an additional follow-up here. As mentioned earlier, contacts from Gainsight customer instances were not exposed. Some contacts from Gainsight’s own instance of CS were visible through the email field's equal filter in the 'Feature Usage' report. Based on our internal logs before we rolled out the fix, a total of 115 requests of the API were made, all by two users from the same company that reported the issue to us. Following the fix that we deployed on Thursday we are immediately taking further steps to prevent this from happening again in the future.