Salesforce reported detecting unusual activity involving the AppExchange Gainsight application, which is installed and managed by Salesforce customers. According to Salesforce, the observed behavior may have allowed unauthorized access to customer data via the app’s connection. No vulnerabilities were reported within Salesforce’s platform itself. Salesforce disabled the OAuth connection for all Gainsight-published applications on November 20, 2025, suspending their ability to interact with Salesforce environments until further notice.
Salesforce emphasized that the revokation of OAuth tokens does not affect historical logs or audit data. Customers retain access to Setup Audit Trails, Event Monitoring logs, and API records to support their investigations. While Salesforce suggests reviewing these logs for potential compromise, it remains unconfirmed whether the root cause lies solely with the Gainsight application or its integration configuration.
IOCs (16)
Scan your environment for IOCs →IP ADDRESS 16
104.3.11.1198.54.135.148198.54.135.197198.54.135.205146.70.171.216169.150.203.245172.113.237.4845.149.173.227135.134.96.7665.195.111.2165.195.105.8165.195.105.15345.66.35.35146.70.174.6982.163.174.833.239.45.43Detections
- Monitor third-party vendor access for unusual activity patterns or access outside normal business hours