Salesforce Gainsight Compromise: Key Findings & Customer Action Steps
▼ Summary
– Salesforce detected suspicious API calls from non-whitelisted IPs using the Gainsight Connected App and revoked access tokens as a precaution.
– The Gainsight app was temporarily removed from the Hubspot Marketplace, and Zendesk connector access was revoked due to the security incident.
– Only three organizations are known to be impacted, with the Gainsight Salesforce connection identified as the sole affected product.
– Gainsight, Salesforce, and Mandiant are conducting a joint security review and will not restore API access until it is fully vetted and cleared.
– The ShinyHunters group claims responsibility for exfiltrating data from companies like Verizon and Gitlab, but official attribution is still pending.
Following a recent security alert from Salesforce regarding unusual activity linked to Gainsight applications, customers are urged to take specific protective measures. Salesforce detected unauthorized API calls originating from non-whitelisted IP addresses through the Gainsight Connected App, prompting immediate action to secure customer data. Although the investigation is still underway, Gainsight has provided regular updates to help users understand the situation and respond appropriately.
As a precaution, the Gainsight application has been temporarily removed from the Hubspot Marketplace, and access through the Zendesk connector has been revoked. According to the company, only three organizations are confirmed to have been impacted so far, with the Gainsight Salesforce connection identified as the sole affected product. Importantly, Salesforce has not yet verified any actual data exfiltration from customer instances, and there is no evidence that attackers have utilized phishing campaigns or bulk email functions.
Customers are advised to open a support ticket to obtain the specific IP ranges or subnets from which legitimate Salesforce login events for the Gainsight connector should originate. For those wishing to conduct their own review, requesting Salesforce logs is recommended to monitor for any suspicious API activity. Gainsight, Salesforce, and Mandiant, the third-party forensics firm involved, are conducting a comprehensive review of all security layers. API access will not be reinstated until the investigation is complete and the system receives full clearance.
A formal report along with remediation guidance will be issued by the third-party forensics team. Gainsight plans to transition to a packaged version of the Connected App to ensure a secure reset. The company has emphasized that services will only be restored after they have been thoroughly vetted. Affected customers are being directly notified by Salesforce and Mandiant.
While the ShinyHunters cyber extortion group has claimed responsibility for the incident, stating they exfiltrated data from several companies including Verizon, Gitlab, F5, and Sonicwall, official attribution has not yet been confirmed. Organizations are encouraged to stay informed about ongoing developments and implement recommended security steps to safeguard their systems.
(Source: HelpNet Security)
