Salesforce has released a security notification to its customers detailing a security incident originating from its partner, Gainsight. The communication provides a specific timeline for the breach and offers guidance for customers to investigate potential impacts on their environments.

The incident involved an unauthorized third party gaining access to a Gainsight system that contained a Salesforce access token. This access token was then used by the threat actor to gain unauthorized access to certain Salesforce customer instances.

Attack Timeline and Compromise Details

According to the notification from Salesforce, the unauthorized access occurred within a defined period. The company has identified the attack window as being between September 5, 2025, and September 9, 2025. The breach was discovered after Gainsight identified suspicious activity within its network environment. The unauthorized access was achieved using a compromised Salesforce session token that was stored on Gainsight’s infrastructure, which allowed the actor to access customer data via the API.

Investigation and Remediation Guidance

Salesforce has provided customers with specific instructions to aid in their own internal investigations. The company is advising administrators to review audit logs for any suspicious activity that occurred during the identified attack window. To facilitate this process, Salesforce has supplied customers with specific Salesforce Object Query Language (SOQL) queries designed to detect potential indicators of compromise.

Furthermore, as a precautionary measure, customers have been instructed to revoke all active sessions for the potentially impacted Salesforce integration user. This action is intended to invalidate any existing authentication tokens and secure the environment from further unauthorized access related to this incident. Salesforce continues to work with Gainsight on the ongoing investigation.

Source: https://www.helpnetsecurity.com/2025/11/26/gainsight-breach-salesforce-details-attack-window/