After a recent security incident involving Gainsight’s customer management software and its integration with Salesforce, companies are working to clarify the scope of the breach. While Gainsight plays a key role in daily business operations for many, uncertainty remains about the extent of the impact on connected clients and third-party applications. Customers are looking for clear answers regarding their data safety, and both Gainsight and Salesforce are taking steps to address concerns while keeping open communication with their user base. Insights into incident response efforts and prevention recommendations have prompted user organizations to review and bolster their own security protocols.
News from earlier similar incidents, such as the Salesloft Drift breach, shows that downstream supply chain attacks can affect hundreds of customers through integration points. However, Gainsight reports fewer affected customers than those numbers. Like previous cases, confusion stems from differing reports by involved vendors, and varying methods of tracking affected clients, making it hard for outsiders to get a full picture immediately. In both situations, access tokens and third-party connectors were focal points of exploit and subsequent investigations.
How Is Gainsight Addressing the Security Intrusion?
Gainsight has engaged the expertise of Mandiant and is relying on incident reports from Salesforce to trace the breach. Salesforce initially reported three directly affected customers but has since found additional victims, although neither company has shared an exact number. Gainsight CEO Chuck Ganapathi emphasized ongoing communication and support with affected clients, stating:
“Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
Efforts by Mandiant and ongoing forensic analyses should provide further clarification as log examination and token behavior analysis progress.
What Applications Might Be Involved in the Breach?
Investigators are examining potential spread beyond Salesforce, looking at other connectors such as Hubspot, Zendesk, and Gong.io, which preemptively revoked Gainsight-related access tokens. No confirmed compromises on these platforms have been reported so far, and Salesforce maintains that its own platform did not exhibit the specific vulnerability. Google’s Threat Intelligence Group, connected to Mandiant, noted that over 200 Salesforce environments could be potentially affected, but has not released updated numbers. Despite discrepancies, only a small number of directly impacted customers have been identified so far, according to Gainsight’s communication.
How Are Customers Being Guided on Risk Assessment?
Both Gainsight and Salesforce are advising customers to review their security activity logs, with Salesforce logs cited as the most reliable for detecting unauthorized activity. Brent Krempges, chief customer officer at Gainsight, highlighted log utility issues, saying,
“Based on the nature of the logs we retain, many of our clients have not found them to be material in assessing any risk to their organization.”
Customers are encouraged to implement manual security controls, such as IP restrictions on API calls. The issue has sparked broader discussion on the importance of vendor coordination and layered security in integrated environments, echoing experiences from companies like Okta during previous breaches.
Gainsight CEO Ganapathi underlined the company’s accountability and the need for collective defense strategies. He committed to sharing lessons learned:
“The only way we beat these threats is by working together and sharing information and strategies.”
Gainsight has provided guidance to help customers maintain operations while affected connections remain offline, reinforcing a collaborative approach to information security across the SaaS community.
Supply chain breaches involving integrated SaaS products continue to challenge organizations, especially as both attackers and defenders adapt their tactics. Organizations dependent on tools like Gainsight, Salesforce, Hubspot, and Zendesk should prioritize regular log reviews, robust access management, and close communication with their vendors following incidents like this. Forensic investigations typically take time, and discrepancies in impact assessments are expected as more details come to light. Proactive security measures, including timely revocation of vacant or unused tokens and enforcing network restrictions, offer practical steps for reducing risk of similar incidents in the future. Staying updated with official communications and coordinating closely within the SaaS ecosystem can help institutions limit exposure when breaches occur.
