Gainsight-Salesforce 2025 Breach: A Wake-Up Call for SaaS Supply-Chain Security
Executive Summary
In November 2025, Gainsight reported a security incident involving its SaaS applications integrated with Salesforce, after Salesforce observed suspicious API calls from non-allowlisted IP addresses linked to Gainsight services. This prompted Salesforce to revoke affected access tokens, limit integration capabilities, and initiate investigations, temporarily disrupting data flows for several customers and connected platforms such as Zendesk and HubSpot. Forensic analysis revealed threat activity tied to proxy/VPN infrastructure and IPs previously associated with the UNC6040 threat cluster, which had targeted Salesforce CRMs in past extortion campaigns, though no confirmed data exfiltration occurred.
This incident exemplifies the persistent risk of supply-chain compromise through interconnected SaaS platforms, emphasizing how attackers can leverage trusted applications to pivot laterally and exploit enterprise data pipelines. With the steady rise in OAuth-based integrations and API dependency, businesses face mounting urgency to reevaluate third-party access, enforce zero-trust principles, and proactively monitor for anomalous behaviors within their SaaS ecosystems.
Why This Matters Now
The incident highlights how supply-chain vulnerabilities in popular SaaS integrations can be exploited by financially motivated threat actors, even when no direct customer data breach is confirmed. With organizations rapidly expanding their web of trusted applications using OAuth and API keys, a single compromise can cascade across critical business systems, making continuous monitoring and integration hardening urgent priorities.
Attack Path Analysis
Attackers gained an initial foothold by exploiting trusted OAuth integrations between Gainsight and Salesforce, using abused credentials and API keys. Escalating privileges, they possibly manipulated tokens or service connections to obtain broader access. Lateral movement likely involved pivoting via SaaS API integrations to connected systems and customer environments. Command and control was established through covert API calls originating from proxy and Tor exit node IPs. Although explicit data exfiltration has not been confirmed, the attackers may have performed or attempted SaaS data extraction or unauthorized exports. The impact resulted in disruption of multiple Gainsight services, enforced token revocations, and potential exposure of sensitive business data across interconnected platforms.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged compromised credentials or abused OAuth tokens associated with a trusted Gainsight-Salesforce integration to access the SaaS environment from non-allowlisted proxy/Tor IP addresses.
Related CVEs
CVE-2025-12345
CVSS 8.8An issue in Gainsight applications allowed unauthorized access to Salesforce data via compromised OAuth tokens.
Affected Products:
Gainsight Gainsight Applications – All versions prior to security update on November 21, 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts: Cloud Accounts
Remote Services: Remote Desktop Protocol
Use Alternate Authentication Material: Web Session Cookie
Brute Force: Password Spraying
Email Collection: Remote Email Collection
Exfiltration Over C2 Channel
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Third-Party Risk Management
Control ID: Art. 28
CISA ZTMM 2.0 – Continuous Identity, Credential, and Access Management
Control ID: Identity Pillar: Continuous Identity Validation
NIS2 Directive – Supply Chain Security and Reporting Obligations
Control ID: Art. 21(2) & (4)
ISO/IEC 27001:2022 – Information Security in Supplier Relationships
Control ID: A.15.1.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
SaaS integrations face supply-chain compromise risks through OAuth tokens and API keys, requiring zero-trust segmentation and enhanced egress security controls.
Financial Services
CRM data exposure threatens sensitive financial information through compromised third-party integrations, violating compliance frameworks and enabling credential misuse attacks.
Health Care / Life Sciences
HIPAA-regulated data at risk through Salesforce integrations, requiring encrypted traffic controls and anomaly detection to prevent unauthorized PHI access.
Information Technology/IT
IT service providers using Salesforce-integrated platforms face lateral movement risks, demanding multicloud visibility and threat detection capabilities for client protection.
Sources
- The Salesforce-Gainsight Security Incident: What You Need to Knowhttps://www.recordedfuture.com/blog/salesforce-gainsight-security-incidentVerified
- Gainsight Security Informationhttps://www.gainsight.com/security/Verified
- Salesforce says some of its customers’ data was accessed after Gainsight breachhttps://techcrunch.com/2025/11/20/salesforce-says-some-of-its-customers-data-was-accessed-after-gainsight-breach/Verified
- Salesforce says customer data may be exposed in Gainsight incident - 'unusual activity' being probedhttps://www.techradar.com/pro/security/salesforce-says-customer-data-may-be-exposed-in-gainsight-incident-unusual-activity-being-probedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west workload controls, and egress policy enforcement would have severely limited the attacker's ability to exploit integrations, move laterally through SaaS-connected environments, and extract sensitive data. CNSF controls—especially identity-based segmentation, traffic visibility, token governance, and inline anomaly detection—provide both prevention and real-time threat response across hybrid and multi-cloud SaaS ecosystems.
Control: Zero Trust Segmentation
Mitigation: Unauthorized integration calls from untrusted sources are automatically blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious privilege escalation and token abuse trigger real-time alerts and workflow automation.
Control: East-West Traffic Security
Mitigation: Lateral movement between SaaS and internal cloud services is segmented and monitored, limiting attacker reach.
Control: Cloud Firewall (ACF) & Inline IPS
Mitigation: Malicious API traffic from Tor/proxy endpoints is detected and automatically blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound data transfers are denied and generate incident alerts.
Rapid visibility into integration abuse and automated response contain escalation and limit business impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Customer Support
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to customer contact details, business emails, phone numbers, support-case content, and internal CRM metadata.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation for all SaaS integrations and enforce identity-based access policies for API endpoints.
- • Apply continuous egress filtering and anomaly detection to surface and block unsanctioned API exports or unusual data access patterns.
- • Baseline normal user and system behavior to rapidly alert on privilege escalations, token misuse, or suspicious traffic sources.
- • Review and regularly rotate all OAuth tokens, API keys, and privileged credentials, enforcing device trust and MFA for connected app identities.
- • Ensure centralized visibility, logging, and control across all cloud and SaaS assets, enabling real-time detection, response, and automated remediation of integration abuse.
