Summary

On 19–21 November 2025, Salesforce detected unusual and unauthorized activity associated with Gainsight-published Connected Apps installed in customer Salesforce orgs. This activity appears to involve OAuth token misuse, allowing threat actors to make API calls into customer environments through the delegated privileges of the Gainsight applications.

Salesforce responded by revoking all access and refresh tokens associated with Gainsight-published integrations and temporarily removing the applications from the AppExchange while investigations continue. Gainsight has acknowledged the incident and engaged Mandiant for forensic investigation.

Gainsight emphasizes that the issue is not caused by a vulnerability within Salesforce itself, but arises from external OAuth access to Salesforce via third-party applications. The threat actor ShinyHunters has claimed responsibility; attribution remains unverified.

Affected Systems and/or Applications

• Gainsight-published Connected Apps, including (per Gainsight):CS
  
  • Community / CC
    
  • Northpass / CE
    
  • Skilljar / SJ
    
  • Staircase / ST (listed in some communications only)‍
• Salesforce orgs where these applications were installed and authorized.‍
• OAuth access tokens and refresh tokens issued to Gainsight Connected Apps (revoked by Salesforce).‍
• Third-party connectors relying on Gainsight’s integration layer, such as HubSpot and Zendesk connectors, which Gainsight has temporarily disabled while investigating.‍
• Delegated-access integrations using OAuth tokens that may have been abused to access Salesforce APIs.
  

Salesforce initially identified three impacted customer orgs, later expanded as the investigation continued (exact number not publicly disclosed).

Technical Details

Incident Overview

• Salesforce identified API calls from non-whitelisted IP addresses made through the Gainsight Connected App.
• This activity indicates potential OAuth token compromise or unauthorized token reuse.
• Gainsight confirmed that external connections to Salesforce via Gainsight apps were the vector; there is no Salesforce platform vulnerability.
  

Attack Chain (current understanding)

1. Threat actors obtained or abused OAuth access/refresh tokens associated with Gainsight-published applications.
2. Attackers used these tokens to authenticate to Salesforce APIs via the Gainsight Connected App.
3. Salesforce observed anomalous API activity and revoked relevant tokens globally.
4. Gainsight began internal analysis, disabled connectors, and engaged Mandiant.

Timeline (from Salesforce + Gainsight updates)

• 19 Nov – Afternoon: Salesforce notifies Gainsight about unusual activity originating from Gainsight apps.
• 19 Nov – Evening: Gainsight engineering initiates IR actions; Salesforce revokes tokens.
• 20 Nov: Gainsight restores some non-Salesforce jobs; confirms small number of affected orgs.
• 21 Nov: Salesforce updates help article; Gainsight releases extended FAQ; ongoing analysis by Mandiant.

Impact (current visibility)

• Data types potentially exposed: Due to delegated OAuth privileges, possible exposed data includes Salesforce objects commonly accessibleby Gainsight (e.g., Accounts, Contacts, Tasks, Cases, Engagement metadata). Exact objects or volumes are not publicly confirmed.
• Threat actor attribution: ShinyHunters claims responsibility; Salesforce and Gainsight have not validated attribution.
• Scope of exfiltration: Not publicly disclosed. Gainsight states only “a small number of orgs” showed anomalous activity.

Tactics & Techniques

• OAuth token compromise and misuse
• Abuse of delegated API access from third-party SaaS apps
• Access from non-trusted IPs
• Consistent with a broader trend of OAuth-based supply-chain attacks on Salesforce ecosystems (as noted by Quorum Cyber and others)

Mitigation

The following actions should be prioritized immediately:

Immediate Containment

• Revoke all OAuth tokens associated with Gainsight-published Connected Apps (Salesforce has done this centrally; validate locally).
• Disable or pause Gainsight OAuth authentication until reauthorization steps are provided by Gainsight.
• Rotate all credentials and secrets associated with:
  
  • Gainsight service accounts
  • API keys
  • Connected App client secrets
    

Log Review & Threat Hunting

• Conduct targeted review of:ConnectedAppUsage logs
  
  • API login history
  • Session logs for non-whitelisted IPs
  • Unusual API query bursts or metadata access patterns
  • Hunt for indicators of compromise (IoCs): see the last section for Indicators of Compromise (IOCs).
    

Access Control Hardening

• Enforce MFA for service accounts where applicable.
• Apply strict IP allowlists for high-privilege integration accounts.
• Validate and minimize OAuth scopes granted to all Connected Apps.
• Disable unused or legacy integrations.

Third-Party Risk Controls‍

• Audit all SaaS-integrated Connected Apps across your Salesforce org.
• Ensure least-privilege access model for all OAuth-connected systems.
• Evaluate continuous monitoring controls for OAuth-token issuance and usage.

Communication & Stakeholder Coordination‍

• Notify internal legal, compliance, and customer-experience teams where applicable.
• Prepare downstream communications if customer data exposure is confirmed.
• Monitor ongoing updates from Gainsight and Salesforce.

Indicators of Compromise (IOCs) (from Salesforce Help Article ID 005229029)

References

• Salesforce Help Article: https://help.salesforce.com/s/articleView?id=005229029&type=1
• Gainsight – Incident FAQs: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809
• Gainsight – Nov 20 Update: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faq-november-20th-afternoon-update-29801
• Gainsight – Nov 21 Update: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faq-november-21st-update-29807
• AppOmni Analysis: https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/
• The Hacker News: https://thehackernews.com/2025/11/salesforce-flags-unauthorized-data.html
• ShadowOpsIntel Campaign Overview: https://www.ampcuscyber.com/shadowopsintel/new-campaign-targeting-salesforce-customer-data-via-gainsight-published-apps/
• Quorum Cyber Reporting on OAuth Attacks: https://www.quorumcyber.com/threat-intelligence/surge-in-salesforce-data-theft-campaigns-exploiting-oauth-integrations-and-vishing-attacks