Full Report
Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform. Salesforce Confirms Expanded Investigation In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption] Gainsight Products and Connectors Temporarily Impacted According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process. No Indication of Salesforce Platform Vulnerability Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators. Indicators of Compromise Published As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.
Analysis Summary
# Incident Report: Salesforce Gainsight Unauthorized Access Incident
## Executive Summary
Salesforce confirmed ongoing unusual security activity specifically affecting Gainsight-published applications integrated with the Salesforce CRM platform, stemming from the external application connection, not a core platform vulnerability. As a precautionary measure, Salesforce revoked all dependent OAuth tokens and removed the apps from AppExchange, leading to temporary service interruptions for several Gainsight products and related third-party connectors. The incident scope expanded beyond initial reports, requiring an ongoing, broad investigation supported by shared Indicators of Compromise (IOCs).
## Incident Details
- **Discovery Date:** Not explicitly stated, but updates began following detection of "unusual activity."
- **Incident Date:** Updates were provided through November 21 (when the list of affected customers expanded).
- **Affected Organization:** Salesforce and its customer base utilizing Gainsight-published applications.
- **Sector:** Customer Relationship Management (CRM) / SaaS.
- **Geography:** Not specified (Implied global reach due to platform providers).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown. The timeframe leading up to the discovery of "unusual activity."
- **Vector:** Compromise related to the external OAuth-based integration between Gainsight applications and Salesforce environments.
- **Details:** Unauthorized access was enabled through the app-to-Salesforce connection of Gainsight applications.
### Lateral Movement
- **Details:** Not detailed in the provided context, but the activity suggests reconnaissance or access beyond the initial scope, resulting in the identification of more impacted customers.
### Data Exfiltration/Impact
- **Details:** Unauthorized access to "certain customers' Salesforce data" was potentially enabled. The full extent of data compromise is under investigation.
### Detection & Response
- **Detection:** Salesforce detected "unusual activity" across Gainsight-published applications.
- **Response Actions:**
- Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications.
- Salesforce removed Gainsight-published applications from its AppExchange.
- Salesforce confirmed an expanded list of impacted customers and notified them directly (as of Nov 21).
- Gainsight products (CS, CC, CE, SJ, ST) were temporarily disabled from reading/writing to Salesforce due to precautionary disconnection.
- Third-party connectors (Gong.io, Zendesk, HubSpot) integrated with Gainsight were disabled by their vendors.
## Attack Methodology
- **Initial Access:** Exploiting or misusing the OAuth connection authorized between Gainsight applications and Salesforce environments.
- **Persistence:** Unknown, but likely maintaining unauthorized access via the compromised OAuth tokens before revocation.
- **Privilege Escalation:** Not detailed, though the nature of the connection implies access commensurate with the authorized scope of the Gainsight application.
- **Defense Evasion:** Not detailed, but the activity went undetected long enough to impact multiple customers.
- **Credential Access:** Focused on exploiting or misusing existing, valid OAuth tokens rather than direct credential theft against Salesforce core users.
- **Discovery:** Implied by the IOCs shared, which include a "Salesforce-Multi-Org-Fetcher/1.0" user agent, suggesting widespread reconnaissance within connected orgs.
- **Lateral Movement:** Movement confined to the data accessible via the compromised Gainsight application scopes within connected Salesforce environments.
- **Collection:** Unauthorized access to "certain customers' Salesforce data."
- **Exfiltration:** Not explicitly detailed, but implied by the unauthorized access.
- **Impact:** Unauthorized exposure/access to customer Salesforce data.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Potential exposure of specific customer Salesforce data. A list of affected customers expanded beyond the initial three; all newly identified ones were notified.
- **Operational:** Significant operational disruption for Gainsight customers, as several key Gainsight products and integrated third-party tools were temporarily halted or lost connection to Salesforce data services.
- **Reputational:** Reputational strain on both Salesforce and Gainsight due to the ongoing nature of the security incident.
## Indicators of Compromise
- **Network Indicators (IP Addresses):** Dozens of IP addresses linked to suspicious access attempts (specific IPs must be defanged).
- **Behavioral Indicators (User Agents):**
- `python-requests/2.32.3`
- `Salesforce-Multi-Org-Fetcher/1.0`
## Response Actions
- **Containment:**
- Salesforce revoked *all* active access and refresh OAuth tokens associated with Gainsight-published applications immediately.
- Salesforce removed affected apps from the AppExchange.
- **Eradication:** Ongoing forensic review by Gainsight with independent investigators; customers urged to conduct log reviews.
- **Recovery:**
- Gainsight urged customers to rotate their S3 keys if they had not done so since November 20, 2025 (a precautionary step related to log retrieval).
- Customers guided to use Setup Audit Trail, Event Monitoring logs for investigation.
## Lessons Learned
- **External Integration Risk:** External integrations remain a critical vector for supply chain and platform compromise, even when the core platform (Salesforce) is secure.
- **Rapid Token Revocation Efficacy:** Immediate revocation of OAuth tokens successfully contained the immediate threat vector utilized by the actors.
- **Proactive Customer Guidance:** The importance of providing actionable IOCs and direct guidance (e.g., log analysis resources) to customers for self-investigation and remediation.
## Recommendations
- **Review Third-Party Application Permissions:** Customers should minimize the scope of OAuth permissions granted to all third-party applications and regularly audit connected apps on the AppExchange.
- **Implement Stricter Token Rotation Policies:** Establish and enforce policies requiring regular rotation of application-specific credentials and OAuth refresh tokens, especially following major platform updates or security advisories.
- **Enhance Log Monitoring:** Implement continuous, proactive monitoring of Setup Audit Trail and Event Monitoring logs, specifically looking for anomalous user agents (e.g., third-party fetchers) operating at unusual times or volumes.
- **Verify Log Ingestion Security:** Ensure security controls around critical internal data stores (like S3 logs mentioned by Gainsight) are robust and that key rotation practices are uniformly applied across the organization.