On November 19, 2025 at 8:00 PM, Salesforce issued a security advisory after detecting unusual activity associated with Gainsight-published applications that may enable unauthorized access to certain customers’ Salesforce data through Gainsight’s connected integrations. Apps published by Gainsight have been temporarily removed from the Salesforce AppExchange.

As part of the initial response, Salesforce has revoked active access and refresh tokens associated with Gainsight applications.

What are the recommended actions?

AppOmni is monitoring the Salesforce Gainsight incident closely and is advising all customers, and any organization with Salesforce-Gainsight integrations, to take the following actions:

1. Inventory & verify: Identify any Gainsight-published apps connected to your Salesforce orgs. Confirm business ownership and current need. Customers can identify Gainsight apps in their environment by navigating to “Third Party → Connected Apps → ‘Gainsight’ ” 
2. Review OAuth scopes: Ensure requested scopes align with least-privilege. Remove excessive scopes and unused integrations.
3. Rotate credentials: Regenerate tokens/keys for affected integrations and service accounts where applicable.
4. Check for suspicious activity: Review login history, connected app usage, and audit logs for anomalous behavior during the affected window.
5. Tighten policies: Enforce MFA, IP restrictions, and session policies for integration users.
6. Use AppOmni capabilities:
   • Run an OAuth/Connected App assessment to surface risky scopes and over-permissive apps.
   • Validate policy drift and remediate misconfigurations via AppOmni’s guided fixes.
   • Set up detections and alerts for new connected apps, scope changes, and unusual data access.

Salesforce has directly notified affected customers and is continuing to provide updates as the investigation progresses. AppOmni will continue to monitor the situation and share relevant security insights as new information becomes available.

AppOmni Scout, our new managed threat hunting service, is proactively monitoring Gainsight IoCs and will send notifications to our current customers if/when we see any suspicious activity in their SaaS environments. Please reach out to scout@appomni.com, we’re here to help.

Additional Resources

• Salesforce Security Advisory issued on November 19, 2025: https://status.salesforce.com/generalmessages/20000233
  
• Salesloft Drift – Salesforce Breach (UNC6395): Why Salesforce OAuth Integrations are a Growing Risk: https://appomni.com/blog/drift-breach-salesforce-unc6395-saas-prevention/
  
• ZDNet: Battered by cyberattacks, Salesforce faces a trust problem – and a potential class action lawsuit. Quote from Cory Michal, Chief Security Officer at Appomni: https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/
  
• SecurityWeek: Hackers extorting Salesforce after stealing data from dozens of customers. Quote from Brian Soby, co-founder and CTO at AppOmni: https://www.zdnet.com/article/battered-by-cyberattacks-salesforce-faces-a-trust-problem-and-a-potential-class-action-lawsuit/