Security Advisory: Unusual Activity related to the Gainsight application

Update: Dec 10, 2025 

Salesforce has re-enabled integrations with Gainsight. This decision follows security measures and remediation steps implemented by Gainsight, which were independently validated by Mandiant and CrowdStrike.

For Gainsight's latest investigation and remediation updates, see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Original Advisory: Nov 24, 2025

At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data very seriously. This Security Advisory was created to inform our customers that Salesforce detected unusual activity involving Gainsight-published applications, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the applications’ connection. 

On November 20, 2025, Salesforce disabled the connection between Gainsight-published applications and Salesforce. As of December 10, 2025, Salesforce has re-enabled integrations with Gainsight following security measures and remediation steps implemented by Gainsight which were independently validated by Mandiant and CrowdStrike.

There is no indication that this issue resulted from any vulnerability in the Salesforce platform. For Gainsight's latest investigation and remediation updates, see:

https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

IMPORTANT: Salesforce's revocation of the Gainsight application’s OAuth tokens on November 20, 2025, did NOT delete your historical audit trails or hinder your ability to investigate this activity. All Setup Audit Trail entries, Event Monitoring logs, and API activity records remain intact and accessible. Salesforce strongly recommends that customers conduct a comprehensive review of all available logs when investigating potential compromise. Guidance on log review can be found in the Salesforce Log Analysis Guide.

Known Indicators of Compromise (IoCs)

The following table lists known Indicators of Compromise (IoCs) associated with the threat actor activity detected in connection with the Gainsight application. The following known IoCs include IP addresses associated with VPN proxy services (including Mullvad, Surfshark, Proton, and Tor) and anomalous user agent strings not associated with Gainsight's connected app. Customers should check their Event Monitoring logs for activity from these IPs between October and November 2025. 

Recommended Customer Actions 

We strongly urge all customers to perform a full review of your logs for any unexpected activity related to the Gainsight connection to Salesforce, not just limited to the IOCs listed above.