Gainsight Status

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.

Monitoring: The new managed package that powers the data integration between Gainsight CS and Salesforce has successfully completed the AppExchange security review and has been published (may take a bit to show up in search due to indexing). You can continue using the installation links included in our community post under the December 11th update "How can I get the Gainsight-Salesforce connection working now?" until they show up in search. In addition, you won't see the warning message highlighted in the post anymore. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce connectivity for Gainsight CS has been approved and restoration is underway. Core Salesforce-dependent workflows are now available after reauthorization, with additional features being brought back online progressively. See the https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809 for details and next steps.

Identified: Please see FAQs for updated instructions on how to get the Gainsight-Saleforce connection working. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Great news — Salesforce has approved the Gainsight Managed Package with UI. This means you can once again access the Gainsight UI directly inside Salesforce, just as you could before. Salesforce has also approved the Gainsight Connected Apps that power data exchange between Gainsight and Salesforce. With this approval in place, customers can begin bringing their Salesforce-connected workflows back online. To resume data flow, the Gainsight Connected App needs to be reauthorized.

We’re excited to be moving into this restoration phase and will continue to share updates and guidance as more functionality comes back online. A follow-up with more details will be coming later today.

Identified: We’ve added resources to help Gainsight admins get ready for reconnecting with Salesforce once restoration begins. Visit our Community post for details and Office Hours registration. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Please see an important status update from our CEO Chuck Ganapathi regarding the completion of security investigations: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We wanted to share an important update: both Mandiant and CrowdStrike have completed their independent investigations. We’ve already shared this investigation summary with Salesforce and are now reviewing the findings together. Once those conversations are complete, we’ll publish the investigation summary on our Trust site, so you have full visibility as well.

In parallel, we are proactively working with our partners at Zendesk, HubSpot, and Gong.io to keep them fully updated so we can get those integrations re-enabled as quickly and safely as possible. Thank you for your patience and partnership as we work through this final step.

For additional clarifying info see https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We have updated FAQ to add in key questions asked in this week’s office hours. https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: As part of the remediation effort, we completed the task of deactivating S3 connections for customers whose S3 access keys have not been rotated since before January 2025.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: On December 4th, between 6:00 AM - 9:00 AM PT, we will deactivate S3 connections for customers whose S3 access keys have not been rotated since before January 2025 as part of the remediation effort.

Please see the “Important NOTE” section at the top of the FAQ for quick reconnection steps: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: No updates to the FAQ as we continue to work through the investigation. Please review the Office Hours schedule mentioned in the current FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: A new update regarding IOCs and Office Hours can be found in the FAQs. FAQs: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: All customers using Google SSO OAuth, are strongly advised to complete the steps in the FAQ item item “My Google SSO login into Gainsight is failing. What can I do?”— even if access to Gainsight is still functioning—to move to SAML based authentication.

In addition, updated guidance is available for re-authenticating the GS Assist Gmail plugin and Gmail calendar integration, if you are running into issues with these features.

FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Google SSO logins (Gsuite) are currently failing for small subset of customers who use Google OAuth to sign into Gainsight. To ensure uninterrupted access, we would like to propose an alternative approach using SAML authentication. We support SAML setup with any Identity Provider, including Azure, OneLogin and Google. Our team will be happy to guide you through this configuration. Please see the question “My Google SSO login into Gainsight is failing. What can I do?” in our FAQ for more info - https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review.

We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Customers are advised to promptly rotate all S3 and connector credentials (including BigQuery, Zuora, Snowflake, etc.) used with Gainsight as part of standard security best practices. We have included a PDF with details in our FAQs Community Post. The attachment can be found at the bottom of the post.

Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 24). https://communities.gainsight.com/community-news-2/salesforce-security-advisory-relating-to-gainsight-faqs-29809

Forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Thank you for your continued patience while we work to resolve this incident.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 23) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 which will be updated every 24 hours with any new information.

Identified: Salesforce - Gainsight Connected App Incident FAQ Update (November 22) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available. Please refer to the current active FAQ: https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Salesforce - Gainsight Connected App Incident FAQ (November 21st Update) - https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809 We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: Salesforce has published an updated Security Advisory on unusual activity related to Gainsight-published applications. https://help.salesforce.com/s/articleView?id=005229029&type=1 We continue to work closely with Salesforce as part of the ongoing investigation. Gainsight-published applications remain disconnected from Salesforce at this time. We will provide further updates as additional information becomes available.

Identified: We continue to work closely with Salesforce on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review. We will continue to share updates as the investigation progresses and provide additional information as it becomes available.

Identified: We want to provide more information on the issue we shared earlier today. We have engaged Mandiant, a leader in cybersecurity, to assist us in our comprehensive, independent forensic investigation.

Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform. Salesforce has independently notified known affected customers and continues to investigate.

As noted in the FAQ, (https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809) Gainsight can provide the IP ranges and subnets that Salesforce login events from the Gainsight Connector should originate from. At this time, these details can only be shared through a support ticket. If you need this information, please open a ticket with our Support team.

We are committed to keeping you informed, and we appreciate your patience and partnership

Identified: We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce. Additionally Zendesk connector access has been revoked as a precaution. Please refer to our detailed Salesforce - Gainsight Connected App Incident FAQ (November 20th Afternoon Update): https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faqs-29809

Identified: Investigation is ongoing and we will share updates as more information becomes available. We appreciate your patience and understanding.

Identified: Access to Gainsight via Salesforce remains unavailable at this time. We continue to work closely with Salesforce to investigate and resolve the connection issue impacting Gainsight-published applications on the Salesforce platform. Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.

Our security and engineering teams are collaborating with Salesforce to analyze the technical details, validate configurations, and determine safe restoration steps. We are continuing to consolidate information internally and externally and will provide a detailed update within the next 1 hour.

Identified: Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only. Thank you for your patience, we will share additional updates as more information becomes available.

Identified: We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications. Our internal investigation is ongoing, We will share additional updates as more information becomes available.

Identified: We continue to investigate the Salesforce connection issue identified earlier today. Further updates will be provided as soon as more information is available.

Identified: We are continuing to work on a fix for this issue.

Identified: We are continuing to work on a fix for this issue.

Identified: We are actively investigating the issue and continuing to monitor the situation closely. We will share further updates as soon as more information becomes available.

Identified: We have identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector. https://status.salesforce.com/generalmessages/20000233

This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.

We are investigating further and will update as we have more details.

Investigating: We are investigating reports of Salesforce Connection failures.
We will update soon as we have more details.