The Salesforce-Gainsight Security Incident: What You Need to Know

On November 19–23, 2025, Salesforce and Gainsight investigated suspicious API activity originating from non-allowlisted IP addresses via Gainsight’s Salesforce integrations; Salesforce revoked related access tokens, restricted integration functionality, and several services and third-party connectors were temporarily disabled. Indicators point to Tor/proxy infrastructure and IPs previously tied to an August 2025 UNC6040 CRM campaign, with malware families (SmokeLoader, Stealc, DCRat, Vidar) observed communicating with implicated IPs; Gainsight reports no confirmed exfiltration so far and has taken mitigation steps while recommending token rotation, log review, allowlisting, MFA enforcement, and isolation/reauthorization of integrations.