Salesforce - Gainsight Connected App Incident FAQ
Q: Can you share what the suspicious activity was, and have you ruled out compromise of OAuth connections to other apps?
A: Salesforce detected API calls using the Gainsight Connected App coming from non-whitelisted IP’s. At the moment only three orgs are known to be impacted. The Gainsight Salesforce connection should be the only impacted product.
Q: Will Salesforce contact us if we’ve been impacted?
A: Yes, Salesforce should have already proactively reached out to you.
Q: If Salesforce has not contacted us, does that mean we weren’t impacted?
A: It's likely you were not impacted but the investigation is still ongoing.
Q: Rules that were not connected to Salesforce also failed — should they work now?
A: Yes. A fix was pushed around earlier today. Non-Salesforce queries, rules, and Data Designer should now run normally.
Q: Are S3 jobs impacted?
A: No. S3 jobs that do not rely on Salesforce data at all should continue to execute correctly.
Q: Can you give an ETA on when investigations will be complete?
A: Investigations will take a few days so there is no firm timeline on when they will be complete.
Q: Do we need to manually reactivate rules that went inactive?
A: Yes, some rules will require manual reactivation if they failed repeatedly.
Q: Once integrations are restored, can we be confident that processing data is safe and no attacker still has any harvested credentials?
A: Gainsight, Salesforce, and a third-party forensics firm are jointly reviewing all security layers. They will not restore API access until fully cleared. Our third-party will issue a formal report and any remediation guidance. Gainsight will likely move to a packaged version of the Connected App to ensure a clean and secure reset.While no one can guarantee absolute protection, we will only turn services back on once fully vetted.
Q: Should we disable other Gainsight products?
A: No. There is no indication that any other product was impacted apart from CS.
Q: Will you provide a detailed timeline of events?
A: Yes. We will share a complete timeline once the investigation is concluded and provide periodic updates throughout the process.
Q: Is there evidence of actual data exfiltration vs. just unauthorized access?
A: Salesforce has not yet provided details on object-level impact or data exfiltration as of yet.
Q: Can Gainsight provide IP ranges/subnets that Salesforce login events from the Gainsight connector should originate from? Also, can you confirm that traffic coming directly from Gainsight-associated IPs should be legitimate?
A: Yes. However, at this time, we can only provide these in a support ticket. Customers can request this data by opening a support ticket.
Q: What is expected to happen when the syncs turn back on? Will all changes be picked up?
A: The connector will need to be re-authorized when it’s re-enabled. Existing schedules will remain but some rules may require admins to turn them back if they were disabled. Once all queues are turned back on we will likely see delays as jobs work to catch up.We also recommend performing an evaluation of all key jobs after the connector is turned back on to make sure they’re functioning properly.
Q: Are there any logs we can use to perform our own internal investigation?
A: Salesforce maintains logs with IPs, timestamps, and connected-app activity. Admins should be able to request additional Salesforce Connected App access logs from Salesforce if required.
Q: Have all credentials/tokens/certificates for other Gainsight integrations been rotated?
A: Customers can perform key rotation on other Gainsight integrations that they own. Our third party team will also perform an audit on these as well.
Q: Do you have any indication that Gainsight as a whole is compromised? Or is this strictly the Salesforce-connected app?
A: Currently there is no indication of further compromise but the investigation is still ongoing.
Q: Do the compromised tokens allow access to all orgs or is it isolated to specific ones?
A: It is isolated: each abused token was scoped to a single customer org.
Q: Would we see the bad IP connections on our end, or does it terminate on the Gainsight side?
A: It terminates on Salesforce’s side. You can request a list of connection requests from Salesforce.
Q: Have you seen signs of attackers sending out phishing emails or using bulk email features?
A: No signs of any such activity. Additional monitoring is in place.
Q: Are the Gmail/Outlook plugin’s impacted?
A: Yes, if users login through Salesforce. As a workaround you can login directly via Gainsight or use BCC addresses.
Q: Do CSMs need to create CSQLs directly in Salesforce for now?
A: Yes. Renewal Center and CSQL interfaces will not work because they require immediate writes to Salesforce.
Q: Does the Journey Orchestrator outage affect survey responses from being recorded?
A: No. Survey responses will still come through normally. Audience queries that rely on Salesforce information will fail though.
Q: Is there a way to export our logs from Gainsight for independent review?
A: For API calls you’ll want to review Salesforce logs which can be requested from Salesforce. For Gainsight logs - we are reviewing options for what anyone might need.
Q: Rules got de-activated last night with repeated failures. What do we do about them?
A: Rules that were marked as inactive due to five consecutive failures have now been reactivated across all regions.
Q: I’m not able to login via Salesforce at all. What can I do?
A; Use direct NXT login (your admin has to enable it).
Check out our original post here for reference.