Gainsight Breach Incident Score: Analysis & Impact (GAI0892408112625)

In this Rankiteo incident briefing, we review the Gainsight breach identified under incident ID GAI0892408112625.

The analysis begins with a detailed overview of Gainsight's information like the linkedin page: https://www.linkedin.com/company/gainsight, the number of followers: 157947, the industry type: Software Development and the number of employees: 1100 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 616 and after the incident was 553 with a difference of -63 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Gainsight and their customers.

On 21 November 2025, Salesforce disclosed Unauthorized Access, Data Breach and API Abuse issues under the banner "Compromise of Gainsight-Published Applications Affecting Salesforce Customers".

The number of Salesforce customers affected by the recent compromise of Gainsight-published applications is yet to be publicly confirmed.

The disruption is felt across the environment, affecting Gainsight-Published Applications, Salesforce Connected App and S3 Buckets, and exposing True.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Revoked Gainsight OAuth Tokens, Disabled Gainsight-Salesforce Connection and Published IoCs for Customer Review, and began remediation that includes Rotated S3 Bucket Access Keys, Password Resets for Non-SSO Users and Reauthorization of Connected Apps, while recovery efforts such as Environment Hardening by Gainsight and Restoration of Salesforce Connected App (Pending) continue, and stakeholders are being briefed through Public Advisories from Salesforce & Gainsight, Customer Guidance for Log Review and Ongoing Updates on Investigation.

The case underscores how Ongoing (Salesforce, Gainsight, Mandiant), and recommending next steps like Review Salesforce logs for unexpected activity related to Gainsight connections, Rotate S3 bucket access keys used for Gainsight connections and Log in to Gainsight NXT directly (avoid Salesforce SSO until restored), with advisories going out to stakeholders covering Salesforce IoC List, Gainsight Security Recommendations and Mandiant Investigation Support.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including exploitation of its Salesforce-connected applications via Compromised OAuth Tokens, and revoked Gainsight’s OAuth tokens (Salesforce response) and Exploit Public-Facing Application (T1190) with high confidence (90%), with evidence including malicious User-Agent strings (e.g., *Salesforce-Multi-Org-Fetcher/1.0*) to bypass authentication, and insufficient validation of user agent strings in Gainsight Connected App. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), with evidence including shiny Hunters claimed **three months of undetected access**, and reauthorization of Connected Apps (remediation measure). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), with evidence including rotate S3 bucket keys (remediation measure), and potential OAuth token mismanagement (root cause) and Unsecured Credentials: Cloud Instance Metadata API (T1552.007) with moderate to high confidence (70%), supported by evidence indicating aWS-linked IPs used in intrusions (potential AWS metadata exploitation). Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), supported by evidence indicating bypass authentication via malicious User-Agent strings and OAuth tokens, Proxy: Tor/VPN/Cloud (T1090.004) with high confidence (90%), supported by evidence indicating intrusions between November 16–23 via **VPNs, Tor, and AWS-linked IPs**, and Obfuscated Files or Information: Software Packing (T1027.002) with moderate to high confidence (75%), supported by evidence indicating malicious User-Agent strings (e.g., *Salesforce-Multi-Org-Fetcher/1.0*) (spoofing legit traffic). Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (85%), with evidence including reconnaissance on **November 8, 2025** prior to intrusion, and review Salesforce logs for unexpected activity (recommendation). Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), with evidence including high-value targets such as **Salesforce Customer Data, Gainsight NXT User Credentials**, and potential PII was accessed (unconfirmed). Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (75%), with evidence including data exfiltration such as **Alleged (Claimed by Shiny Hunters, Unverified)**, and tor/VPN/AWS IPs used for intrusions (potential exfiltration channels). Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating no public data leaks verified (but disruption via token revocation) and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate to high confidence (70%), supported by evidence indicating disrupted Gainsight-Salesforce Integration, Manual Login Required for Gainsight NXT. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.