Gainsight, the leading customer success platform, has confirmed that a security incident involving its Salesforce integration compromised customer tokens for a small subset of its client base.
The announcement follows a security advisory issued by Salesforce last week, which prompted the temporary disabling of Gainsight’s connected application.
In a statement released ahead of the Thanksgiving holiday, Gainsight leadership addressed the unusual activity identified by Salesforce, emphasizing that while the investigation is ongoing, the impact appears limited at this stage.
“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” the company stated.
Gainsight noted that Salesforce has already notified the specific customers involved, and Gainsight’s support teams are working directly with those impacted organizations.
The incident began when Salesforce detected irregularities associated with Gainsight’s connected app.
As a precautionary measure, the integration was severed to prevent potential lateral movement or data exfiltration.
Gainsight immediately engaged third-party cybersecurity experts to work alongside its internal Security, Support, and Product teams to analyze the breach and restore connectivity safely.
Acknowledging the disruption to customer operations, the company has mobilized a specialized team to assist clients in maintaining business continuity while the Salesforce app remains offline.
This includes alternative methods for managing Customer Success (CS) instances and direct support for data ingestion.
On November 26, Gainsight released a set of precautionary Indicators of Compromise (IOCs) and defensive measures to help customers harden their environments during the outage. These recommendations include:
- Key Rotation: Immediately rotating access keys for S3 buckets and other connectors, including BigQuery, Zuora, and Snowflake.
- Direct Authentication: Logging into Gainsight NXT directly rather than through Salesforce until the integration is fully restored.
- Credential Resets: Resetting NXT user passwords for any accounts not using Single Sign-On (SSO).
- Re-authorization: Re-authorizing any connected applications that rely on user credentials or tokens.
The company also released a technical PDF guide (V2) detailing specific steps for rotating keys and re-authorizing connectors to assist administrators in securing their data pipelines.
Industry Commitment
Gainsight frames the incident as part of a broader industry challenge, pledging to release a complete retrospective once the investigation concludes.
“The only way we beat these threats is by working together and sharing information and strategies,” the statement read.
The company committed to sharing its findings to help the wider SaaS community strengthen defenses against similar attack vectors.
Recognizing the critical nature of its platform for customer success teams, Gainsight is prioritizing business continuity requests.
Customers requiring immediate assistance are advised to open a support ticket detailing their critical workflows and technical capabilities regarding data transfer via APIs or S3 buckets.
Updates regarding the restoration of the Salesforce integration and further forensic findings will continue to be published on the Gainsight Status and Community pages.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.