On 19 November 2025, Salesforce announced an investigation into unusual activity involving applications published by Gainsight, a company that provides customer success software integrated with Salesforce. In their advisory, Salesforce indicated that they had notified affected customers directly, and that an investigation is ongoing. Salesforce has not yet provided details about the full scope of the malicious activity.
According to Salesforce, there is no evidence that this issue resulted from a vulnerability in the Salesforce platform itself. Instead, the source of the malicious activity is believed to be tied to Gainsight-published applications that are installed and managed by customers directly. In response, Salesforce revoked all active access and refresh tokens linked to these applications and temporarily removed them from the company’s AppExchange marketplace.
On 20 November 2025, Gainsight acknowledged on their status page that there had been connection failures for the Gainsight SFDC Connector in relation to this incident but has not provided any additional details at this time. As Salesforce continues to investigate the attacks, Arctic Wolf will closely monitor the situation for any notable updates and will alert customers if any malicious activity is found.
Recommendations
Rotate Credentials Accessible to Gainsight
As a precaution, consider any credentials Gainsight-connected applications could access through their assigned Salesforce permissions as potentially compromised. Rotate all sensitive credentials stored in Salesforce or in downstream systems that depend on data exposed to the Gainsight integration. This includes API keys, OAuth tokens, integration passwords, service account credentials, and any secrets embedded in custom objects or fields.
Confirm Incident Status with Salesforce
Salesforce has contacted impacted customers regarding the Gainsight integrations. If your organisation uses Gainsight, you may confirm your status with Salesforce by opening a support case via Salesforce Help as needed to review any related activity. Arctic Wolf will notify any customers with confirmed malicious activity as additional technical details are shared about the campaign.
