An independent forensic review is underway to assess the scope of a security breach involving customer-success platform Gainsight and possible downstream impact on Salesforce and other integrated systems. Despite lingering uncertainty, Gainsight’s leadership maintains that the intrusion’s effect on customer data remains limited.
Gainsight CEO Chuck Ganapathi said Tuesday that only a “small number” of customers have experienced confirmed data exposure, even though Salesforce has detected compromised customer access tokens linked to the attack.
“Salesforce has notified the affected customers, and we are engaging with each of them directly,” Ganapathi said in a company update, noting that the investigation is still ongoing.
Conflicting Details Cloud Understanding of the Breach
Public information about the attack remains inconsistent, partly because Gainsight and Salesforce are issuing updates independently and focusing on their respective ecosystems. Both companies have avoided releasing specific numbers, even as additional victims continue to be identified.
Gainsight said it is relying heavily on Salesforce and Mandiant—its incident response partner—to pinpoint impacted organizations and provide indicators of compromise.
Salesforce initially identified three affected customers, later acknowledging additional confirmed victims. Meanwhile, Google’s Threat Intelligence Group stated last week that more than 200 Salesforce instances may have been impacted, though it has not updated that estimate.
Security experts note that such discrepancies are common in supply-chain attacks, where one vendor breach can cascade downstream across integrated platforms.
Ongoing Forensic Review Targets Token Abuse
Mandiant analysts are continuing to examine authentication logs, token patterns, and connector actions to determine how attackers exploited Gainsight-issued access tokens and whether they leveraged them to infiltrate other systems.
In the wake of the attack, HubSpot, Zendesk, and Gong.io temporarily revoked Gainsight customers’ access tokens as a precaution. Gainsight said it has not found evidence of compromise in these third-party environments. Salesforce has also emphasized that the incident did not stem from a vulnerability in its own platform.
The initial findings resemble a major attack two months earlier, when integrations with Salesloft Drift enabled hackers to infiltrate more than 700 Salesforce customers.
Salesforce Logs Deemed Key to Identifying Compromise
Salesforce has published the most detailed threat-hunting guidance to date, including indicators of compromise, activity timelines, and IP addresses tied to malicious behavior dating back to October 23.
Customers were urged to review Salesforce logs showing authentication attempts and API calls made through Gainsight’s Connected App. According to Gainsight’s Chief Customer Officer Brent Krempges, Gainsight’s own logs offer limited value for investigation.
“These Salesforce-side logs are the authoritative source for detecting unusual access,” Krempges said.
Gainsight also recommended enabling IP restrictions for API access—an optional control that requires cooperation from all vendors in an organization’s integration chain. Identity provider Okta reported that such restrictions helped block attempts to exploit Drift integrations in a similar incident earlier this year.
Gainsight Pledges Transparency as Recovery Continues
Ganapathi, who became CEO in August, acknowledged the vital role Gainsight plays in customer operations and said the company is actively helping customers maintain their Gainsight CS environments while its Salesforce-connected app remains offline.
“The only way we defeat threats like this is by collaborating and sharing insights,” he said, pledging to publish lessons learned to strengthen industry-wide SaaS security practices.
