Gainsight CEO downplays impact of attack that spread to Salesforce environments

Gainsight is downplaying the severity of a recent security breach that affected its customer management platform and potentially extended to connected Salesforce environments. The company has launched an independent forensic investigation to determine the full scope of the intrusion and whether other third-party applications were compromised.

In a blog post Tuesday, Gainsight CEO Chuck Ganapathi stated that, while Salesforce identified compromised customer tokens, only a small number of customers appear to have had their data affected. “Salesforce has notified the affected customers, and we are working directly with them to provide support,” he wrote.

Despite these assurances, details surrounding the incident remain fragmented. Gainsight and Salesforce have been releasing updates independently, creating discrepancies in the reported number of impacted companies and the extent of compromise. Google’s Threat Intelligence Group, affiliated with Mandiant under Google Cloud, reported that over 200 Salesforce instances may have been affected.

Mandiant continues to analyze logs, token activity, and connector behavior to provide a comprehensive view of how attackers used Gainsight customers’ access tokens. Gainsight also confirmed that platforms such as HubSpot, Zendesk, and Gong.io temporarily revoked Gainsight tokens “out of an abundance of caution,” though no confirmed impacts on these systems have been reported. Salesforce maintained that the breach did not involve a vulnerability in its platform.

The incident bears similarities to a recent downstream attack affecting more than 700 customers who integrated Salesloft Drift into Salesforce. Gainsight emphasized that customers should focus investigations on Salesforce logs for authentication attempts and API activity originating from the Gainsight Connected App, as these logs are the most reliable source of information.

As a precaution, Gainsight recommended configuring IP restrictions for API calls to prevent unauthorized requests. The company is assisting customers in managing their Gainsight Customer Success instances while its Salesforce-connected app remains offline.

Ganapathi stressed the importance of collaboration within the SaaS ecosystem to counter supply chain attacks. “The only way we beat these threats is by working together and sharing information and strategies,” he said. “We are committed to sharing what we learn to help strengthen defenses across the industry.”