On November 23, 2025, Gainsight confirmed that it’s actively investigating unusual activity involving its applications that are integrated with Salesforce—an incident that underscores the growing risk of supply-chain compromise through trusted SaaS integrations.

What happened

The security event came to light on November 19, when Salesforce detected suspicious API calls. The calls originated from non-allowlisted IP addresses through Gainsight applications integrated with Salesforce. To date, three unnamed customers are suspected to have been impacted. In response, Salesforce immediately revoked access tokens associated with Gainsight applications, restricted integration functionality, and launched an investigation.

The incident disrupted several Gainsight services, including Customer Success (CS), Community, Northpass, Skilljar, and Staircase, temporarily disabling their ability to read and write data from Salesforce. As a precautionary measure, other platforms, including Zendesk, Gong.io, and HubSpot, also disabled related CS connectors.

The threat landscape connection

Analysis of the indicators of compromise (IoCs) revealed concerning patterns. Some IP addresses involved in this incident, such as 109.70.100[.]68 and 109.70.100[.]71, were previously linked to an August 2025 campaign in which the financially motivated threat cluster UNC6040 compromised Salesforce CRM environments to exfiltrate sensitive data, indicating possible reuse of infrastructure against CRM targets. The August 2025 campaign reportedly coordinated with UNC6240, which claimed affiliation with the ShinyHunters extortion group, to demand payment from affected organizations.

Most of the IP addresses identified are Tor exit nodes or commodity proxy/VPN infrastructure with histories of abuse for malicious activities, including scanning, brute-force attacks, and web exploitation. This suggests that the threat actors are using shared anonymity services rather than custom command-and-control (C2) infrastructure.

Intelligence analysis also revealed malware samples communicating with these IP addresses across commodity families, including SmokeLoader, Stealc, DCRat, and Vidar.

While Gainsight has stated that it hasn’t identified evidence of data exfiltration, and while a specific threat actor has yet to be confirmed, the investigation is ongoing.

The broader risk: supply-chain compromise

This incident highlights a critical vulnerability in modern enterprise architecture: the risk of supply-chain compromise through trusted SaaS integrations. When OAuth tokens, API keys, and service accounts enable persistent access to enterprise CRM data, a breach in one connected application can potentially expose sensitive information across multiple platforms.

Despite no evidence of data exfiltration so far, customers using Gainsight-Salesforce integrations may face unauthorized access or credential misuse until proper reauthorization is completed. The potential exposure may extend beyond Gainsight to other connected applications, such as Zendesk, HubSpot, and Gong.io, that share authentication or data pipelines.

Immediate actions for affected organizations

Gainsight has already taken defensive measures, including rotating multi-factor credentials and restricting access to its VPN and critical infrastructure. However, customers who suspect exposure should consider taking the following actions:

Critical security steps:

• Revoke and rotate OAuth tokens and API keys associated with the Gainsight-Salesforce Connected App.
• Review Salesforce and Gainsight logs for anomalous API traffic, unexpected IP sources, or mass data exports.
• Apply IP allowlists to block connections from published IoCs.
• Implement conditional access and device trust validation for all connected apps.
• Enforce multi-factor authentication and reset access credentials on all privileged accounts.
• Isolate integrations with third-party vendors until reauthorization guidance is confirmed.

Gainsight-specific recommendations:

• Rotate S3 keys.
• Reset NXT passwords.
• Reauthorize affected integrations.
• Log in directly to NXT until the Salesforce Connected App is fully restored.

Looking ahead

As organizations increasingly rely on interconnected SaaS applications to power their operations, the security posture of each integration point becomes critical. This incident serves as a reminder that third-party applications with deep integrations into core business systems represent both operational efficiency and potential attack vectors.

Organizations should evaluate their connected application ecosystems, implement zero-trust principles for API access, and ensure robust monitoring of authentication and authorization activities across all integrated platforms. The days of "set and forget" SaaS integrations are over. Continuous validation and monitoring are essential to maintaining security in a connected enterprise environment.

Learn how to stay ahead of emerging threats. Contact us to speak with one of our threat intelligence experts.