Full Report
Learn how threat intelligence identifies supply-chain compromise risks in SaaS integrations and how Recorded Future helps organizations defend against attacks like the Salesforce-Gainsight incident.
Analysis Summary
# Incident Report: Supply Chain SaaS Integration Compromise (Salesforce-Gainsight)
## Executive Summary
On November 19, 2025, Salesforce detected suspicious API activity originating from Gainsight applications connected to its CRM. This incident highlights a supply-chain risk where a compromised trusted third-party integration (Gainsight) led to unauthorized access via suspicious API calls from non-allowlisted IP addresses, some associated with prior threat campaigns. Response actions included immediate revocation of access tokens, though the full scope of customer impact is still under investigation.
## Incident Details
- **Discovery Date:** November 19, 2025
- **Incident Date:** Incident investigation confirmed activity starting around November 19, 2025 (Suspicious API calls detected).
- **Affected Organization:** Gainsight (Primary affected integration partner), three unnamed Salesforce customers suspected to be impacted.
- **Sector:** Technology/SaaS (CRM Integration)
- **Geography:** Not explicitly specified, assumed global given the nature of SaaS platforms.
## Timeline of Events
### Initial Access
- **Date/Time:** November 19, 2025 (when suspicious activity was detected).
- **Vector:** Suspicious API calls originating from Gainsight integrated applications.
- **Details:** The calls originated from non-allowlisted IP addresses communicating with the Salesforce CRM environment via the Gainsight Connected App.
### Lateral Movement
- **Details:** The report focuses primarily on initial unauthorized access via the integration; specific internal lateral movement within the affected customer environments is not detailed, though the actors exploited established OAuth/API trust.
### Data Exfiltration/Impact
- **Details:** Gainsight stated they had *not* identified evidence of data exfiltration at the time of the report. The immediate impact was service disruption for Gainsight services (CS, Community, Northpass, Skilljar, Staircase) which lost the ability to read/write Salesforce data.
### Detection & Response
- **Details:** Salesforce detected the suspicious API calls originating from unauthorized IPs. Salesforce immediately revoked access tokens associated with Gainsight applications and restricted integration functionality. Other platforms using related connectors (Zendesk, Gong.io, HubSpot) proactively disabled their connectors.
## Attack Methodology
The report focuses on the *resulting* unauthorized access rather than a detailed TTP breakdown of the initial exploitation of Gainsight/the attacker's foothold, but provides context via past campaigns:
- **Initial Access:** Exploitation of trusted SaaS integration access (OAuth/API keys) via unusual external IPs.
- **Persistence:** (Implied) Persistence was established via active, potentially hijacked, integration tokens/API keys.
- **Privilege Escalation:** (Not specified) Access likely leveraged the permissions granted to the Gainsight Connected App.
- **Defense Evasion:** Attackers used Tor exit nodes or commodity proxy/VPN infrastructure, which is common for covering traffic origin.
- **Credential Access:** (Implied) Access relied on the established trust relationship rather than direct credential theft from the victims, though indicators linked to previous campaigns that *did* involve data exfiltration exist.
- **Discovery:** (Implied) Discovery likely occurred via the API calls allowed by the integration permissions.
- **Lateral Movement:** (Not specified)
- **Collection:** (Not specified, but potentially possible via API calls)
- **Exfiltration:** (No evidence confirmed at time of report)
- **Impact:** Service disruption for integrated functions.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Three unnamed customers suspected to be impacted. No evidence of data exfiltration confirmed by Gainsight. Potential for unauthorized access/credential misuse remains.
- **Operational:** Disruption to several Gainsight services (CS, Community, Northpass, Skilljar, Staircase) until tokens were revoked. Precautionary disabling of connectors on Zendesk, Gong.io, and HubSpot occurred.
- **Reputational:** Highlights supply-chain risks inherent in deeply integrated SaaS ecosystems.
## Indicators of Compromise
- **Network Indicators (IPs involved):** `109.70.100[.]68`, `109.70.100[.]71` (previously linked to August 2025 campaign). Many involved IPs were Tor exit nodes or commodity proxies.
- **File Indicators:** Malware samples previously communicating with these IPs included SmokeLoader, Stealc, DCRat, and Vidar (indicates potential wider infrastructure history, not necessarily execution in this event).
- **Behavioral Indicators:** Suspicious API calls originating from non-allowlisted IPs against the Salesforce CRM via the Gainsight integration.
## Response Actions
- **Containment Measures (Salesforce):** Immediately revoked access tokens associated with Gainsight applications; restricted integration functionality.
- **Containment Measures (Gainsight):** Rotating multi-factor credentials; restricting access to its VPN and critical infrastructure.
- **Customer Remediation (Recommended):**
* Revoke and rotate OAuth tokens and API keys associated with the Gainsight-Salesforce Connected App.
* Review logs for anomalous API traffic/unexpected IP sources.
* Apply IP allowlists based on published IoCs.
* Implement conditional access and device trust validation.
* Enforce MFA and reset credentials on privileged accounts.
* Gainsight specific: Rotate S3 keys, reset NXT passwords, reauthorize integrations.
## Lessons Learned
- Reliance on deep, persistent SaaS integrations (OAuth tokens, API keys) creates critical single points of failure if the third party is compromised (Supply-Chain Risk).
- Threat actors reuse infrastructure, as evidenced by IoCs linked to previous CRM compromise campaigns.
- Organizations must move beyond "set and forget" for SaaS integrations.
## Recommendations
- Implement Zero-Trust principles for all API access, requiring revalidation or stricter controls on connected apps.
- Implement robust, continuous monitoring of authentication and authorization activities across all integrated platforms.
- Customers using affected integrations should immediately revoke and rotate all related tokens/keys and isolate connections until reauthorization is confirmed.