Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident was reported by the Google Threat Intelligence Group, potentially affecting over 200 Salesforce instances. CEO Chuck Ganapathi confirmed that only a limited number of Gainsight clients had their data compromised. The company advised customers to review Salesforce logs for authentication attempts and API calls originating from the Gainsight Connected App to identify anomalous access patterns. Gainsight also recommended implementing IP restrictions for API calls as a mitigation measure. The breach remains under investigation, with Gainsight’s own logs deemed insufficient for assessing organizational risk. Clients were urged to rely on Salesforce-side logs for determining exposure.
Source: https://www.scworld.com/brief/impact-of-gainsight-breach-minimized
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI54103454112625",
"linkid": "gainsight",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Limited number of clients '
'(potential impact on over 200 '
'Salesforce instances)',
'industry': 'Technology / SaaS',
'name': 'Gainsight',
'type': 'Customer Management Software Firm'},
{'industry': 'Multiple (Salesforce customers)',
'name': 'Gainsight Clients (Salesforce Users)',
'type': 'Businesses'}],
'customer_advisories': 'Public communication by Gainsight CEO (Chuck '
'Ganapathi) and Chief Customer Officer (Brent '
'Krempges) urging log reviews and mitigation measures',
'data_breach': {'sensitivity_of_data': 'High (authentication tokens)',
'type_of_data_compromised': ['Salesforce customer tokens']},
'description': 'A limited number of Gainsight clients had their data '
'compromised following a breach of the customer management '
"software firm's systems, impacting Salesforce customer "
'tokens. The breach was reported by the Google Threat '
'Intelligence Group to potentially have affected over 200 '
'Salesforce instances. Gainsight customers have been advised '
'to review Salesforce logs for anomalous access patterns, '
'particularly authentication attempts and API calls '
'originating from the Gainsight Connected App. IP restrictions '
'for API calls have also been recommended as a mitigation '
'measure.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'breach affecting customer tokens and '
'requiring client-side mitigation',
'data_compromised': True,
'operational_impact': 'Ongoing investigation; customers advised to '
'review logs and implement IP restrictions '
'for API calls',
'systems_affected': ['Salesforce instances (potentially over 200)',
'Gainsight Connected App']},
'initial_access_broker': {'high_value_targets': ['Salesforce customer '
'tokens']},
'investigation_status': 'Ongoing (customers urged to review logs; extent of '
'breach under investigation)',
'recommendations': ['Review Salesforce logs for authentication attempts and '
'API calls from Gainsight Connected App',
'Implement IP restrictions for API calls',
'Monitor for anomalous access patterns'],
'references': [{'source': 'CyberScoop'}],
'response': {'communication_strategy': 'Advisories issued to clients to '
'investigate logs and implement '
'mitigations',
'containment_measures': ['IP restrictions for API calls'],
'incident_response_plan_activated': True,
'remediation_measures': ['Review of Salesforce logs for '
'authentication attempts and API calls '
'from Gainsight Connected App'],
'third_party_assistance': ['Google Threat Intelligence Group '
'(reported potential impact)']},
'stakeholder_advisories': 'Clients advised to investigate Salesforce logs and '
'implement IP restrictions',
'title': 'Gainsight Data Breach Affecting Salesforce Customer Tokens',
'type': 'Data Breach / Unauthorized Access'}