Suspected compromise of Gainsight-connected Salesforce instances via OAuth tokens

On November 19, 2025, Salesforce issued a Security Advisory describing “unusual activity” involving Gainsight-published applications connected to Salesforce. Their investigation indicates the activity may have enabled unauthorized access to certain customers’ Salesforce data via the app connection, not due to a Salesforce platform vulnerability but via the app’s external connection.

Update November 21st:

Gainsight has engaged with Mandiant and has published an FAQ with more information. According to them, at the moment only three orgs are known to be impacted and Salesforce has proactively reached out to them.

‍

‍

Salesforce has taken the following steps:

• Revoked all active access and refresh tokens associated with Gainsight-published apps.
• Temporarily removed those apps from the Salesforce AppExchange.
• Notified known affected customers directly.

At the same time Gainsight’s status page is reporting:

• Salesforce connection failures due to revoked Gainsight SFDC Connector access.
• Temporary removal of the Gainsight app from the HubSpot Marketplace as a precautionary measure.
• No suspicious HubSpot activity observed so far.

Separately, threat actor group ShinyHunters has publicly claimed that they obtained a Gainsight OAuth token via secrets stolen from Salesloft/Drift support case data. Using that token, they allegedly issued refresh tokens for up to 285 Salesforce instances linked to Gainsight and accessed customer data. BleepingComputer reported that the gang claims they lost access today but had time to steal some data. These claims are unconfirmed, and the scope and victim list remain unknown.

‍

Recommendations

• Remove all of the app-to-app integrations between Gainsight and any of your SaaS applications including Salesforce, Hubspot, etc.
• Review SaaS application logs when available for unusual access from the Gainsight integration.  This activity might look like bulk queries and accessing an unusual large amount of resources or executing a large amount of queries.‍
• Implement IP restriction for integrations in Salesforce: In the Salesforce Connected App settings for Gainsight (and other high‑risk apps), set IP Relaxation = Enforce IP restrictions and limit to your corporate egress ranges.
• Review Salesforce Event Monitoring logs and authentication activity outside of the IP ranges used by Gainsight. Customers can request this data by opening a support ticket with Gainsight.