Full Report
Maybe if your hand has 200+ fingers... Gainsight CEO Chuck Ganapathi downplayed the victim count related to his company's recent breach, saying he's only aware of "a handful of customers" who had their data affected after Salesforce flagged unusual activity involving Gainsight's connected app.…
Analysis Summary
# Incident Report: Gainsight Connected App Compromise via Salesforce Integration
## Executive Summary
Gainsight experienced a security breach stemming from unusual activity flagged by Salesforce involving Gainsight's connected application. This incident resulted in the compromise of customer tokens, leading to unauthorized access to data for an unconfirmed number of customers. Response actions included Salesforce revoking all tokens and Gainsight disabling the Salesforce integration while forensic investigation is underway.
## Incident Details
- Discovery Date: November 19 (When Salesforce first flagged activity)
- Incident Date: Occurred prior to November 19, 2025
- Affected Organization: Gainsight
- Sector: Customer Success Platform / SaaS
- Geography: Not specified (Global customer base implied)
## Timeline of Events
### Initial Access
- Date/Time: Prior to Nov 19, 2025
- Vector: Compromise related to Gainsight's connected application interacting with Salesforce environment.
- Details: Suspicious activity was observed within the Gainsight connected app environment on Salesforce.
### Lateral Movement
- Vector: Compromised customer tokens allowed unauthorized access.
- Details: Implied that threat actors moved to access customer data associated with these tokens. Other platforms like HubSpot and Zendesk also revoked access to Gainsight connectors, suggesting potential related concerns or preemptive action.
### Data Exfiltration/Impact
- Details: Customer data was stolen or accessed. The CEO claims only a "handful of customers" were affected, while Google Threat Intelligence Group (GTIG) is aware of over 200 potentially affected Salesforce instances.
### Detection & Response
- **Discovery:** Salesforce flagged unusual activity involving Gainsight's connected app on November 19.
- **Response:** Salesforce revoked all access and refresh tokens associated with Gainsight-published applications. Gainsight disabled its Salesforce integration and is conducting forensic analysis. Gainsight is providing support to allegedly affected customers.
## Attack Methodology
- Initial Access: Exploitation via a connected application communicating with the Salesforce platform.
- Persistence: Not detailed, implied through compromised tokens.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Compromise of customer tokens related to the Gainsight connected application.
- Discovery: Not detailed, though indicators of compromise linked to ShinyHunters suggest potential threat actor reconnaissance.
- Lateral Movement: Accessing data within connected customer Salesforce instances via compromised tokens.
- Collection: Theft of customer data associated with affected tokens.
- Exfiltration: Not detailed.
- Impact: Unauthorized data access and theft.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Customer data was affected. Discrepancy exists between company assessment ("handful") and threat intelligence awareness (200+ Salesforce instances).
- Operational: Gainsight's Salesforce integration was disabled as of the update, causing operational disruption for customers relying on that connection. Gainsight hosted town halls to assist customers. Login issues for a subset of GSuite SSO customers were also being investigated.
- Reputational: Negative impact due to data breach disclosure and conflicting reports on the scope of compromise.
## Indicators of Compromise
- Network indicators: Indicators of compromise linked to the threat actor ShinyHunters were published in Salesforce Security Advisory documentation (Specific indicators not detailed in this summary text).
- File indicators: Not specified.
- Behavioral indicators: Unusual activity flagged by Salesforce involving the Gainsight connected app.
## Response Actions
- **Containment:** Salesforce revoked all access and refresh tokens associated with Gainsight-published applications.
- **Eradication:** Forensic investigation is ongoing, led by Mandiant (Google's incident response team).
- **Recovery:** Gainsight disabled its Salesforce integration; status on reconnection is pending forensic review. Gainsight is directly engaging with affected customers.
## Lessons Learned
- Reliance on third-party connected applications introduces significant risk, requiring robust external access management and monitoring of token usage.
- Significant discrepancy exists in assessing the true scope of customer impact between the affected vendor (Gainsight) and external threat intelligence/partner monitoring (Salesforce/GTIG).
## Recommendations
- Immediately review and audit all connected applications and OAuth token usage across critical platforms (Salesforce, HubSpot, Zendesk, etc.).
- Implement stricter application-level authorization policies to limit the blast radius upon token compromise.
- Establish clear, standardized communication protocols for immediately sharing confirmed scope data with partners (Salesforce) and the public to mitigate confusion.