Security Advisory: Salesforce Gainsight Incident
None
<p class="wp-block-paragraph">On November 19, 2025 at 8:00 PM, <a href="https://status.salesforce.com/generalmessages/20000233" rel="noreferrer noopener">Salesforce issued a security advisory</a> after detecting unusual activity associated with Gainsight-published applications that may enable unauthorized access to certain customers’ Salesforce data through Gainsight’s connected integrations. Apps published by Gainsight have been temporarily removed from the Salesforce AppExchange.</p><p class="wp-block-paragraph">As part of the initial response, Salesforce has revoked active access and refresh tokens associated with Gainsight applications.</p><h2 class="wp-block-heading" id="h-what-are-the-recommended-actions">What are the recommended actions?</h2><p class="wp-block-paragraph">AppOmni is monitoring the Salesforce Gainsight incident closely and is advising all customers, and any organization with Salesforce-Gainsight integrations, to take the following actions:</p><ol class="wp-block-list"> <li class="wp-block-list-item"><strong>Inventory & verify: </strong>Identify any Gainsight-published apps connected to your Salesforce orgs. Confirm business ownership and current need. Customers can identify Gainsight apps in their environment by navigating to “Third Party → Connected Apps → ‘Gainsight’ ” </li> <li class="wp-block-list-item"><strong>Review OAuth scopes: </strong>Ensure requested scopes align with least-privilege. Remove excessive scopes and unused integrations.</li> <li class="wp-block-list-item"><strong>Rotate credentials: </strong>Regenerate tokens/keys for affected integrations and service accounts where applicable.</li> <li class="wp-block-list-item"><strong>Check for suspicious activity: </strong>Review login history, connected app usage, and audit logs for anomalous behavior during the affected window.</li> <li class="wp-block-list-item"><strong>Tighten policies:</strong> Enforce MFA, IP restrictions, and session policies for integration users.</li> <li class="wp-block-list-item"><strong>Use AppOmni capabilities:</strong> <ul class="wp-block-list"> <li class="wp-block-list-item">Run an OAuth/Connected App assessment to surface risky scopes and over-permissive apps.</li> <li class="wp-block-list-item">Validate policy drift and remediate misconfigurations via AppOmni’s guided fixes.</li> <li class="wp-block-list-item">Set up detections and alerts for new connected apps, scope changes, and unusual data access.</li> </ul> </li> </ol><p class="wp-block-paragraph">Salesforce has directly notified affected customers and is continuing to provide updates as the investigation progresses. AppOmni will continue to monitor the situation and share relevant security insights as new information becomes available.</p><p class="wp-block-paragraph">AppOmni Scout, our new managed threat hunting service, is proactively monitoring Gainsight IoCs and will send notifications to our current customers if/when we see any suspicious activity in their SaaS environments. Please reach out to <a href="/cdn-cgi/l/email-protection#6d1e0e0218192d0c1d1d02000304430e0200" rel="noreferrer noopener"><span class="__cf_email__" data-cfemail="acdfcfc3d9d8eccddcdcc3c1c2c582cfc3c1">[email protected]</span></a>, we’re here to help.</p><h2 class="wp-block-heading">Additional Resources</h2><ul class="wp-block-list"> <li class="wp-block-list-item">Salesforce Security Advisory issued on November 19, 2025: <a href="https://status.salesforce.com/generalmessages/20000233" rel="noreferrer noopener">https://status.salesforce.com/generalmessages/20000233<br></a></li> <li class="wp-block-list-item">Salesloft Drift – Salesforce Breach (UNC6395): Why Salesforce OAuth Integrations are a Growing Risk: <a href="https://appomni.com/blog/drift-breach-salesforce-unc6395-saas-prevention/" rel="noreferrer noopener">https://appomni.com/blog/drift-breach-salesforce-unc6395-saas-prevention/</a></li> <li class="wp-block-list-item">ZDNet: Battered by cyberattacks, Salesforce faces a trust problem – and a potential class action lawsuit. Quote from Cory Michal, Chief Security Officer at Appomni: <a href="https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/" rel="noreferrer noopener">https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/</a></li> <li class="wp-block-list-item">SecurityWeek: Hackers extorting Salesforce after stealing data from dozens of customers. Quote from Brian Soby, co-founder and CTO at AppOmni: <a href="https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/" rel="noreferrer noopener">https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/</a> </li> </ul><p>The post <a href="https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/">Security Advisory: Salesforce Gainsight Incident</a> appeared first on <a href="https://appomni.com/">AppOmni</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/security-advisory-salesforce-gainsight-incident/" data-a2a-title="Security Advisory: Salesforce Gainsight Incident"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsecurity-advisory-salesforce-gainsight-incident%2F&linkname=Security%20Advisory%3A%20Salesforce%20Gainsight%20Incident" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsecurity-advisory-salesforce-gainsight-incident%2F&linkname=Security%20Advisory%3A%20Salesforce%20Gainsight%20Incident" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsecurity-advisory-salesforce-gainsight-incident%2F&linkname=Security%20Advisory%3A%20Salesforce%20Gainsight%20Incident" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsecurity-advisory-salesforce-gainsight-incident%2F&linkname=Security%20Advisory%3A%20Salesforce%20Gainsight%20Incident" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsecurity-advisory-salesforce-gainsight-incident%2F&linkname=Security%20Advisory%3A%20Salesforce%20Gainsight%20Incident" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://appomni.com/">AppOmni</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Drew Gatchell, Sr. Director of Threat Detection, AppOmni">Drew Gatchell, Sr. Director of Threat Detection, AppOmni</a>. Read the original post at: <a href="https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/">https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/</a> </p>