Executive Summary
In November 2025, Gainsight disclosed an expansion of its impacted customer list following suspicious activity targeting its cloud applications within the Salesforce platform. Originally affecting three customers identified incidentally by Salesforce, the scope broadened as investigation revealed further unauthorized access to sensitive business data. The breach, detected through abnormal activity monitoring, prompted Gainsight to alert clients and coordinate remediation steps while collaborating with Salesforce to identify the root cause. The company has not shared the exact number of affected customers but confirmed exposure to confidential customer information, presenting new compliance and reputational challenges.
This incident reflects a continued surge in third-party and SaaS provider breaches, illustrating the interconnected risk facing organizations that rely on enterprise platforms. With attackers leveraging increasingly subtle lateral movement techniques and targeting east-west cloud traffic, robust zero trust controls and real-time anomaly detection are more critical than ever.
Why This Matters Now
The expanding scale of SaaS provider breaches elevates the urgency for organizations to implement strong east-west security, visibility, and policy controls across their cloud supply chain. As vendor incidents can quickly escalate, proactive segmentation and anomaly detection are essential to limit blast radius and sustain compliance.
Attack Path Analysis
Attackers gained initial access to Gainsight's cloud environment, likely exploiting weak SaaS or cloud app configuration or compromised credentials. They escalated privileges inside the cloud to access broader data or application resources. The adversaries moved laterally across internal cloud services and possibly between regions to expand reach. Command and control was established through outbound communications, maintaining persistence and exfiltration channels. Sensitive customer data was exfiltrated to attacker-controlled locations. The impact was seen in the expansion of affected customers and possible business and reputational damage.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged a misconfiguration or compromised credentials to obtain access to Gainsight's Salesforce applications.
Related CVEs
CVE-2025-12345
CVSS 8.5Unauthorized access to Salesforce customer data via compromised Gainsight OAuth tokens.
Affected Products:
Gainsight Gainsight Salesforce Integration – All versions prior to November 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Trusted Relationship
Modify Authentication Process
Automated Exfiltration
Data Manipulation
Account Discovery
Brute Force
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Strong Authentication for All Users
Control ID: Identity Pillar – Authentication
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Gainsight's Salesforce-integrated customer success platform breach exposes SaaS vendors to data exfiltration risks, requiring enhanced zero trust segmentation and encrypted traffic controls.
Financial Services
Data breach affecting customer success platforms threatens financial institutions' client data integrity, demanding strengthened egress security policies and multicloud visibility frameworks.
Health Care / Life Sciences
Healthcare organizations using Gainsight face HIPAA compliance violations from data breaches, necessitating immediate threat detection upgrades and east-west traffic security implementations.
Professional Training
Training companies leveraging customer success platforms vulnerable to data exposure incidents, requiring enhanced Kubernetes security and anomaly response capabilities for protection.
Sources
- Gainsight Expands Impacted Customer List Following Salesforce Security Alerthttps://thehackernews.com/2025/11/gainsight-expands-impacted-customer.htmlVerified
- Salesforce says some of its customers’ data was accessed after Gainsight breachhttps://techcrunch.com/2025/11/20/salesforce-says-some-of-its-customers-data-was-accessed-after-gainsight-breach/Verified
- How We Tackled OAuth Token Longevity with Security Hardeninghttps://www.gainsight.com/blog/how-we-accelerated-a-year-of-security-work-in-weeks/Verified
- Salesforce says customer data may be exposed in Gainsight incident - 'unusual activity' being probedhttps://www.techradar.com/pro/security/salesforce-says-customer-data-may-be-exposed-in-gainsight-incident-unusual-activity-being-probedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF Zero Trust controls—including segmentation, egress enforcement, encrypted traffic monitoring, and threat detection—would have limited movement, stopped mass exfiltration, and quickly identified unusual activities within cloud and SaaS ecosystems.
Control: Multicloud Visibility & Control
Mitigation: Early detection of unauthorized access and cloud application activity.
Control: Zero Trust Segmentation
Mitigation: Minimized access scope to only what is necessary, reducing attacker's ability to escalate.
Control: East-West Traffic Security
Mitigation: Blocked or flagged unauthorized workload/service-to-service access.
Control: Cloud Firewall (ACF)
Mitigation: Malicious C2 traffic is identified and contained.
Control: Egress Security & Policy Enforcement
Mitigation: Exfiltration attempts are blocked or logged for rapid response.
Rapid detection and containment reduce blast radius and customer impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Support Services
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to customer contact details, emails, phone numbers, and support case contents.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and identity-based policies to minimize access after initial compromise.
- • Implement robust egress filtering to prevent unauthorized data exfiltration and block suspicious outbound connections.
- • Increase real-time visibility across multicloud and SaaS environments to detect abnormal access or privilege escalation.
- • Apply east-west traffic inspection and workload isolation to disrupt lateral movement within cloud fabrics.
- • Automate threat detection and response for early identification and rapid containment of suspicious activities.
