📈 Read the 2025 Salesforce Threat Landscape Report
Back to blog

Tracking the Gainsight–Salesforce Investigation: What’s Confirmed So Far

There’s been unusual activity related to Gainsight applications connected to Salesforce environments. This activity may have enabled unauthorized access to certain Gainsight customers’ Salesforce data.

Karmina Aquino November 24th, 2025
gainsight salesforce investigation

Last week, Salesforce publicly disclosed unusual activity related to Gainsight applications connected to customer Salesforce environments. The investigation is still ongoing, but Salesforce’s initial findings indicate that this activity may have enabled unauthorized access to certain Gainsight customers’ Salesforce data via the app’s connection.

In response, Salesforce revoked all active access and refresh tokens associated with the Gainsight applications and temporarily removed the apps from the AppExchange as a precaution. Salesforce also clarified that there is no evidence of any vulnerability within the Salesforce platform itself.

Gainsight has confirmed that they are conducting a full forensic investigation to understand the root cause, impact and scope of the incident.

Why organizations should pay attention

  • This is a connected-app compromise, not a Salesforce platform issue.
    Incidents involving third-party vendor integrations highlight that the connected-app layer must be treated as part of an organisation’s security perimeter.
  • Some characteristics resemble previous campaign.
    The previous campaign involving Salesloft Drift used stolen OAuth tokens connected to Salesforce integrations. While the Gainsight investigation is not yet complete, some similarities have been observed. Gainsight was among the organisations affected in the Drift breach, but at this point, there is no confirmation that the previous incident led to or caused the current one.
  • The investigation remains open and attribution is not final.
    Key details (including root cause, scope of data access and final attribution) are still unconfirmed, though the threat actor group ShinyHunters has publicly claimed responsibility.

What organizations should do right now

  • Inventory all integrated apps: Identify all Gainsight-published applications and other high-risk connected apps within your Salesforce environment.
  • Review permissions and scopes: For each connected app, verify the OAuth scopes and access rights. Remove or restrict any that are unused or over-privileged.
  • Rotate credentials and tokens: Consider rotating OAuth tokens, API keys and integration credentials.
  • Check telemetry and logs: Examine Salesforce audit logs, connected‐app usage logs, API call history for anomalies during the window of exposure.
  • Strengthen vendor-integration governance: Ensure that your third-party app approval processes, monitoring measures and ongoing-security reviews include integration-level access and not just vendor-level risk.

Where to watch for updates

This incident highlights a growing reality in SaaS ecosystems: the security boundary extends beyond the core platform to every integration, connected app and token behind it. For organisations using Salesforce, the most effective immediate step is to strengthen visibility, governance and control at the integration layer.

Karmina Aquino
Karmina Aquino is Head of Threat Intelligence for Cloud Protection for Salesforce at WithSecure. With over two decades in the cybersecurity industry, she brings expertise in threat detection, threat analysis, and threat intelligence. Her work focuses on understanding evolving cyber threats and developing effective strategies to detect and defend against them.