Salesforce Probes Gainsight-Linked Breach; Mandiant Called In

Salesforce said some customers’ data may have been accessed via Gainsight‑published apps, prompting emergency safeguards and a wider forensic review. The investigation underscores the risk that third‑party integrations can pose to even well‑secured cloud platforms.

What Salesforce Found

In notices posted around November 20–21, 2025, Salesforce reported “unusual activity” tied to apps published by Gainsight that connect to its platform and are managed by customers. The company said those apps may have enabled unauthorized access to certain customers’ Salesforce data and emphasized there’s no indication of a vulnerability in Salesforce’s core platform. As a precaution, Salesforce revoked access tokens for Gainsight‑connected apps and began notifying affected customers. Gainsight, which provides customer success software, confirmed it is working with Salesforce on the inquiry.

The Bigger Picture

The probe arrives amid a shift in attack patterns that target integration points rather than the underlying systems themselves. Earlier this year, Google’s security team detailed separate campaigns that abused enterprise connectors — including Oracle’s E‑Business Suite and a modified Salesforce Data Loader — compromising data at scores of organizations. Security researchers warn that integrations with privileged permissions are an increasingly attractive attack surface compared with breaching a vendor’s core platform.

What’s Next

Gainsight says its applications remain disconnected from Salesforce while investigators work to validate configurations and determine safe restoration steps. The company has brought in outside experts — Gainsight hired Mandiant for a forensic review — and is updating customers as findings emerge. For now, both companies say the activity appears to have originated from the external connection between Gainsight apps and Salesforce, not from any flaw within Salesforce itself. Organizations using these integrations should watch for official notices, review access logs, and be prepared to rotate credentials connected to impacted apps once guidance is issued.

Sources

• Salesforce says customer data possibly exposed following incident — Reuters (November 21, 2025)
• Investigating – Salesforce Connection Failure (Status Page) — Gainsight (November 20, 2025; updates through November 25, 2025)