Salesforce - Gainsight Connected App Incident FAQs

November 22nd Update

Q: How many customers are affected by this security incident?

A: Salesforce initially provided a list of 3 impacted customers which has (as of Nov 21) been expanded to a larger list. The expanded set of customers that were affected were notified by Salesforce on Nov 21st. Based on the list provided by Salesforce, we have reached out to these customers directly as well.
 

Q: What Gainsight products are affected as a result of Salesforce’s precautionary measures to limit access?

A: At this time, CS, Community - CC, Northpass - CE, Skilljar - SJ and Staircase - ST are all affected. While these products are operational, their ability to read and write from Salesforce is unavailable temporarily
 

Q: What other Gainsight CS connectors are not working as of today?

A: As of now, out of an abundance of caution,  Gong.io, Zendesk and Hubspot connectors have been made inactive by the respective vendors (besides Salesforce).

Q: How can the impacted Gainsight customers get logs from Gainsight?

A: Please open a support ticket with Gainsight. Please rotate your Gainsight S3 keys (if you haven't done so already since Nov 20th 2025) as the logs are delivered via this S3 bucket. This step is required for Gainsight to send you the logs.
 

Q: Are there any other suggestions for customers from a security standpoint?

A: Mandiant has also suggested this Google Blog as a resource to provide to clients looking for guidance on their internal investigations. 
 

Q: Can you give me a timeline story of what happened including actions taken by Gainsight?
November 19, 2025 – Afternoon

• Salesforce notifies Gainsight of unusual activity involving the Gainsight Salesforce Connected App.
• Salesforce reports a small number of customer orgs (3 orgs) showing suspicious access attempts.
• Gainsight initiates internal incident response procedures.
• First customer-facing update published regarding disruption to Salesforce-connected functionality

November 19, 2025 – Evening

• Security, Engineering, and Product teams begin initial analysis.
• The response team convened.
• Gainsight engages Mandiant to support an independent forensic investigation.
• Mandiant begins evidence preservation and log collection.
• Salesforce has not provided any IOCs at this point

November 20, 2025 – Morning

• Engineering teams begin validating impact boundaries.
• Engineering deploys updates restoring non-Salesforce-dependent Rules, Data Designer jobs, and Reports.
• First Office Hours session conducted to address customer questions.

November 20, 2025 – Afternoon

• Deeper log reviews and initial scoping completed by our Engg. teams
• Salesforce confirms the unusual activity was limited to a small number of orgs.
• Gainsight begins preparing recommended precautionary actions.

November 21, 2025 – Morning

• JO programs not dependent on Salesforce data re-enabled.
• Second Office Hours sessions conducted.
• Continued working with Salesforce to get the IOCs

November 21, 2025 – Afternoon

• Expanded list of customer orgs impacted provided by Salesforce (notified by Salesforce)
• Gainsight sent direct notifications to customers whose orgs were identified by Salesforce as having observed suspicious activity.

Ongoing

• Mandiant continues detailed forensic review of logs, token behavior, and Connector activity.
• Gainsight posts ongoing updates to the status page at status.gainsight.com.
• Additional customer guidance will be published as validated findings become available.

November 21st Update

Q: How many customers are affected by this security incident?

A: Salesforce initially provided a list of 3 impacted customers which has (as of Nov 21) been expanded to a larger list. The expanded set of customers that were affected were notified by Salesforce earlier today. Based on the list provided by Salesforce, we have reached out to these customers directly as well.

Q: How do I set up a direct NXT login?

A: Details on how an admin can set up direct NXT login access are provided here and info on how CSMs can get access are mentioned here. Please reach out to Gainsight support for any assistance

Q: What Gainsight products are affected as a result of Salesforce’s precautionary measures to limit access?

A: At this time, CS, Community - CC, Northpass - CE, Skilljar - SJ are all affected. While these products are operational, their ability to read and write from Salesforce is unavailable temporarily.

Q: Is Gainsight secure?

A: We have engaged the cybersecurity experts at Mandiant to complete a thorough and independent review. If any new findings emerge, we will communicate them promptly and transparently. In parallel, and out of an abundance of caution, we have already taken several steps to further harden our environment, including rotating multi-factor credentials used to access VPN and critical systems. These actions were taken proactively to ensure our systems remain secure as the investigation continues.Our priority is to ensure you can use the product with confidence, and we will continue to share validated updates as the investigation progresses.

Q: How should I protect myself?

A: We recommend a set of precautionary steps to help customers further protect their environments. These actions align with standard best practices during any security investigation:

• Rotate the S3 bucket access keys used for connections with Gainsight.
• Log in to Gainsight NXT directly, rather than through Salesforce until the Salesforce Connected App functionality is fully restored.
• As part of this, reset NXT user passwords for any users who do not authenticate via SSO.
• Re-authorize any connected applications or integrations that rely on user credentials or tokens.

These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues. We will provide additional guidance if Mandiant’s independent review uncovers any new recommendations.

Q: Will you share indicators of compromise (IOCs)?

A: Salesforce has published the IOCs here,

Q: Can Gainsight provide IP ranges/subnets that Salesforce login events from the Gainsight connector should originate from? Also, can you confirm that traffic coming directly from Gainsight-associated IPs should be legitimate?

A: Yes. However, at this time, we can only provide these in a support ticket. Customers can request this data by opening a support ticket. Please note that these are Gainsight Whitelisted IPs (NOT bad IPs). Salesforce has a post regarding IOCs here.

Q: When will access be restored between Gainsight and Salesforce?

A: We do not have an ETA, but will keep our status page updated in real-time with any new information - Status Page

Q: Will we need to reinstall GS on the SFDC instance after this or any related connectors?

A: You will need to reauthorize your connection once the incident is resolved. If any additional steps are needed that will also be communicated.

Q: We are no longer able to login to Gainsight via Salesforce. Was this change made by Salesforce?

A: Yes this change was made by Salesforce as a precautionary step while the investigation continues.

Q: Once the connection is reestablished will Salesforce dependent rules, programs, reports, etc. require a rebuild?

A: Once the connection is reestablished it will need to be reauthorized. We will provide next steps at that time.

Q: Who would be the best contact from Gainsight side to receive and provide response regarding security?

A: You can speak with our security team by emailing security@gainsight.com.

Q: If we would like to reset NXT user passwords who do not authorize via SSO who would we speak to?

A: Please submit a support ticket to the Gainsight support team and they can assist.

Q: How far back should we review when performing our own internal audit?

A: We recommend reviewing data from the last 4 weeks in Salesforce.

Q: We believe we were impacted but still have not heard from salesforce, who should we speak to?

A: The recommendation is to reach out to Salesforce directly to get confirmation from them if you were impacted. At the time of writing this response, Salesforce may have sent out emails to all the impacted customers

Q: Are there any logs that Gainsight can provide to help assist with our own internal investigation.

A: This will depend on the information you’re trying to investigate. Please open up a support ticket with the Gainsight support team if you believe you need additional logs for review.

Q: Since the Gainsight app has been revoked from Salesforce will it need to be redeployed to our environment?

A: Yes. We will update everyone with re-enablement steps once those are available.

Q: If our users access Gainsight via Salesforce do we have to wait until the incident is resolved before they can log back in?

A: No. As a temporary workaround you can login directly to NXT via the direct URL. If you are unsure what your URL is please contact the Gainsight support team.

Q: Has Salesforce given any indication how much longer the investigation into impacted customers will take?

A: There is no confirmed ETA. The investigation is ongoing and we will continue to keep you updated as it progresses.

Q: Is there any evidence of these attacks spanning into other connectors/connections originating on the Gainsight platform?

A: No. Based on current evidence the only impact connection was the CS Gainsight to Salesforce connection.

Q: Should we ask all our NXT users to reset their passwords?

A: Yes. That is a good precautionary step.

Q: Do you have an ETA to deliver a root cause analysis?

A: We do not have an ETA at this time but we will be continuously updating our status page with any new information.

Q: Should we halt all other configuration attempts in Gainsight even if they don’t touch salesforce?

A: At the moment there has been no indication that Gainsight standalone elements have been impacted so you should be able to continue configuration.

Q: What other Gainsight CS connectors are not working as of today?

A: As of now, out of an abundance of caution,  Zendesk and Hubspot connectors have been made inactive by the respective vendors.

Q: What works within Gainsight CS and what doesn't?

A: Please review the document here.

November 20th update

Q: Can you share what the suspicious activity was, and have you ruled out compromise of OAuth connections to other apps?

A: Salesforce detected API calls using the Gainsight Connected App coming from non-whitelisted IP’s. At the moment only three orgs are known to be impacted. The Gainsight Salesforce connection should be the only impacted product.

Q: Will Salesforce contact us if we’ve been impacted?

A: Yes, Salesforce should have already proactively reached out to you.

Q: If Salesforce has not contacted us, does that mean we weren’t impacted?

A: It's likely you were not impacted but the investigation is still ongoing.

Q: Rules that were not connected to Salesforce also failed — should they work now?

A: Yes. A fix was pushed around earlier today. Non-Salesforce queries, rules, and Data Designer should now run normally.

Q: Are S3 jobs impacted?

A: No. S3 jobs that do not rely on Salesforce data at all should continue to execute correctly.

Q: Can you give an ETA on when investigations will be complete?

A: Investigations will take a few days so there is no firm timeline on when they will be complete.

Q: Do we need to manually reactivate rules that went inactive?

A: Yes, some rules will require manual reactivation if they failed repeatedly.

Q: Once integrations are restored, can we be confident that processing data is safe and no attacker still has any harvested credentials?

A: Gainsight, Salesforce, and a third-party forensics firm are jointly reviewing all security layers. They will not restore API access until fully cleared. Our third-party will issue a formal report and any remediation guidance. Gainsight will likely move to a packaged version of the Connected App to ensure a clean and secure reset.While no one can guarantee absolute protection, we will only turn services back on once fully vetted.

Q: Should we disable other Gainsight products?

A: No. There is no indication that any other product was impacted apart from CS.

Q: Will you provide a detailed timeline of events?

A: Yes. We will share a complete timeline once the investigation is concluded and provide periodic updates throughout the process.

Q: Is there evidence of actual data exfiltration vs. just unauthorized access?

A: Salesforce has not yet provided details on object-level impact or data exfiltration as of yet.

Q: Can Gainsight provide IP ranges/subnets that Salesforce login events from the Gainsight connector should originate from? Also, can you confirm that traffic coming directly from Gainsight-associated IPs should be legitimate?

A: Yes. However, at this time, we can only provide these in a support ticket. Customers can request this data by opening a support ticket.

Q: What is expected to happen when the syncs turn back on? Will all changes be picked up?

A: The connector will need to be re-authorized when it’s re-enabled. Existing schedules will remain but some rules may require admins to turn them back if they were disabled. Once all queues are turned back on we will likely see delays as jobs work to catch up.We also recommend performing an evaluation of all key jobs after the connector is turned back on to make sure they’re functioning properly.

Q: Are there any logs we can use to perform our own internal investigation?

A: Salesforce maintains logs with IPs, timestamps, and connected-app activity. Admins should be able to request additional Salesforce Connected App access logs from Salesforce if required.

Q: Have all credentials/tokens/certificates for other Gainsight integrations been rotated?

A: Customers can perform key rotation on other Gainsight integrations that they own. Our third party team will also perform an audit on these as well.

Q: Do you have any indication that Gainsight as a whole is compromised? Or is this strictly the Salesforce-connected app?

A: Currently there is no indication of further compromise but the investigation is still ongoing.

Q: Do the compromised tokens allow access to all orgs or is it isolated to specific ones?

A: It is isolated: each abused token was scoped to a single customer org.

Q: Would we see the bad IP connections on our end, or does it terminate on the Gainsight side?

A: It terminates on Salesforce’s side. You can request a list of connection requests from Salesforce.

Q: Have you seen signs of attackers sending out phishing emails or using bulk email features?

A: No signs of any such activity. Additional monitoring is in place.

Q: Are the Gmail/Outlook plugin’s impacted?

A: Yes, if users login through Salesforce. As a workaround you can login directly via Gainsight or use BCC addresses.

Q: Do CSMs need to create CSQLs directly in Salesforce for now?

A: Yes. Renewal Center and CSQL interfaces will not work because they require immediate writes to Salesforce.

Q: Does the Journey Orchestrator outage affect survey responses from being recorded?

A: No. Survey responses will still come through normally. Audience queries that rely on Salesforce information will fail though.

Q: Is there a way to export our logs from Gainsight for independent review?

A: For API calls you’ll want to review Salesforce logs which can be requested from Salesforce. For Gainsight logs - we are reviewing options for what anyone might need.

Q: Rules got de-activated last night with repeated failures. What do we do about them?

A: Rules that were marked as inactive due to five consecutive failures have now been reactivated across all regions.

Q: I’m not able to login via Salesforce at all. What can I do?

A; Use direct NXT login (your admin has to enable it).