Gainsight Breach Exposes Data from 200+ Organizations

Salesforce has disclosed a significant security incident involving unauthorized access to customer data through compromised OAuth tokens used by Gainsight-published applications.

The breach, identified in mid-November 2025, may have exposed sensitive information from more than 200 organizations that rely on Gainsight’s customer success platform integrated with Salesforce.

According to Salesforce, the incident was not caused by a vulnerability in the Salesforce platform itself, but by the compromise of OAuth tokens used by third-party Gainsight applications. These tokens allowed attackers to connect to customer Salesforce instances without needing direct login credentials.

How the Incident Unfolded

An internal investigation found that the attackers began reconnaissance activity as early as October 23, 2025. The most active period of unauthorized access attempts occurred between November 16 and November 19, shortly before Salesforce detected suspicious activity and intervened.

Threat actors associated with the well-known ShinyHunters group were identified as the likely perpetrators. This group has been linked to several high-profile data breaches affecting major technology and SaaS companies.

To hide their tracks, the attackers used a large network of VPNs and proxy services, including Mullvad, Surfshark, Proton, and Tor.

Salesforce also identified 15 unusual IP addresses and abnormal user agents such as “python-requests/2.28.1,” which are not normally used by Gainsight applications.

Salesforce’s Immediate Response

Once the unusual behavior was confirmed on November 20, 2025, Salesforce took swift action to prevent further unauthorized access:

• All connections to Gainsight-published applications were disabled
• Compromised OAuth tokens were revoked
• The affected apps were removed from the AppExchange
• Customers were notified and advised not to reconnect Gainsight apps until further notice

Salesforce also emphasized that no weaknesses were found in its own platform. The issue was entirely tied to externally issued OAuth tokens that granted access through the Gainsight integration.

The company is continuing its investigation with the support of the Google Threat Intelligence Group (TAG) and Mandiant, both of whom are tracking the broader campaign behind this activity.

More than 200 companies that use Gainsight integrations may have had some level of data exposure. The type and amount of data accessed likely varies by organization, but OAuth-based compromises can potentially reveal:

• Contact and account data
• Internal records
• Metadata
• Connected system information

Salesforce has not confirmed the exact scope of data accessed for each customer, but the wide use of Gainsight in enterprise environments means the impact could be significant.

Recommended Actions for All SaaS Users

Salesforce and Google TAG strongly recommend that organizations:

🔹 1. Audit all connected apps

Review every third-party application connected to your SaaS platforms.

🔹 2. Check OAuth permissions

Only keep integrations that are needed and restrict excessive privileges.

🔹 3. Revoke unused or suspicious tokens

Tokens that have not been used recently or that belong to unknown applications should be revoked immediately.

🔹 4. Enable continuous monitoring

Track unusual login activity, application-initiated access, and automated API behavior.

🔹 5. Apply Zero-Trust principles

Even trusted apps should be limited in what they can access.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!