![[Un]Churned by Gainsight](https://substackcdn.com/image/fetch/$s_!7AoO!,w_80,h_80,c_fill,f_webp,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffe2167ac-0bcf-4575-9712-8d5ef3588851_300x300.png)
![[Un]Churned by Gainsight](https://substackcdn.com/image/fetch/$s_!hKlf!,e_trim:10:white/e_trim:10:transparent/h_72,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe14b36dd-52b9-48a3-9f93-3f6a459d55ff_1344x256.png)
When OAuth Tokens Live Too Long & a Two-Week Hardening Sprint
A look at token longevity, an unexpected timeline, and the changes that followed
![[Un]Churned's avatar](https://substackcdn.com/image/fetch/$s_!vkJ0!,w_108,h_108,c_fill,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0464ad30-26c2-4f32-b429-ae4283dd5586_200x200.png)
This article is by Prem Parameswaran, CTO of Gainsight
Over the past few weeks, I have spoken with many of you regarding the security advisory involving Gainsight’s Connected App on Salesforce and promised a comprehensive technical explanation. This post explains what we found, what the investigation revealed, and what the Gainsight team built in response.
How the Advisory Began
On November 19, 2025, Salesforce contacted us about unusual activity involving Gainsight-published applications connected to Salesforce. They saw requests hitting their systems that weren’t coming from Gainsight’s applications, infrastructure, or our IP addresses, but were using OAuth tokens that had been issued to the Gainsight-Salesforce connector.
We immediately engaged Mandiant and CrowdStrike, two of the world’s leading cybersecurity firms, to conduct a comprehensive investigation. They had full access to all our environments: production, development, and corporate; all systems, endpoints, backups, and logs. There were no constraints on their scope.
Separately, on November 20, 2025, Mandiant received an email from an individual or group self-identifying as threat actor(s) containing a file with 285 Salesforce OAuth tokens associated with the Gainsight integration.
After completing their exhaustive investigation, they concluded three key things:
They could not identify the source of the leaked token set.
They found no evidence in Gainsight logs of active threat actor(s).
They found no evidence, going back as far as our logs allow (one year), that the leaked tokens originated from Gainsight’s systems.
The investigation established the timeline and nature of the events, but identifying the root cause was more complex due to the timeframes involved, which we’ll explain.
Two Events Across Two Years
What appears as a single advisory actually involves two distinct events separated by at least two years.
Recent event (October — November 2025): Threat actor(s) reused older OAuth tokens to call Salesforce APIs against customer orgs where those tokens remained active.
Historical event (~August 2023): Threat actor(s) originally obtained those tokens from Gainsight or harvested them from external environments or endpoints outside of Gainsight’s control.
To understand what happened, we had to work backward. We started with what we could see clearly, the recent token usage, and traced back to determine where those tokens came from.
Analyzing the Token Usage
On October 22, 2025, the threat actor(s) validated approximately 250 OAuth tokens associated with the Gainsight integration, testing in bulk to determine which credentials were still active. This is standard attacker behavior: you don’t use old credentials at scale without first checking what still works.
Between November 16–19, 2025, the threat actor(s) used the validated tokens to call Salesforce APIs against customer orgs where those tokens remained active. This activity occurred on Salesforce infrastructure, and we did not observe corresponding access to Gainsight applications, systems, or APIs as part of it.
On November 19, 2025, Salesforce detected the suspicious activity and responded by revoking all active tokens associated with the integration and temporarily removing the Gainsight connector from the AppExchange. This was the appropriate response to limit further exposure.
Analyzing the Token Origin
Mandiant’s investigation focused on the harder question: when, where, and how these tokens were originally obtained.
The story here is more complicated. The first step was to determine where the set of tokens existed in the Gainsight environment. We did not find this set in our current systems or in any of our backups.
Mandiant examined the 285 Salesforce tokens in the threat actor(s) dataset and determined they were at least two years old. The most recent token was created in August 2023; the oldest dates back to October 2017, reflecting customer-issued Salesforce OAuth tokens that can persist until customers rotate or revoke them.
One finding stood out. By late November 2025, only about 23% of those tokens still existed in our systems. The rest had been rotated away over time as customers updated credentials. This is a significant finding. It confirmed that the token set was a historical snapshot, ruling out a recent breach. The only window during which this entire set of tokens existed anywhere in our systems, was in and around that historical period, more than two years in the past.
The threat actor(s) behavior reinforces that conclusion. Testing credentials in bulk on October 22 is what you would expect when someone is sitting on an old dataset and trying to figure out what still works.
Where did these tokens come from?
Given the age of the tokens, there are two possible origins:
They could have leaked from Gainsight’s own systems at some point in the past.
They could have been harvested from external environments or endpoints outside of Gainsight’s control.
Since we could not definitively determine the source, we proceeded on the stricter premise that the tokens originated from our systems.
However, time is an unavoidable constraint. Our logs go back one year, which is consistent with industry standards for security, privacy, and compliance. Within that window, Mandiant found no evidence that would explain how these tokens were obtained from our systems.
Because the tokens are aged between two and eight years, the original exposure event occurred outside our forensic visibility. While we cannot rewind the clock to identify the specific historical vector, we can address why a token from 2017 was still usable today.
At the Root of the Issue: Long-Lived Tokens
While we cannot determine the exact circumstances of the original leak, we can identify the systemic issue that caused this advisory: OAuth tokens were allowed to live too long.
Unlike physical key cards that expire when you check out of a hotel, these tokens could remain valid indefinitely unless explicitly revoked or rotated. A token issued in 2017 could theoretically still work in 2025.
This wasn’t unique to Gainsight. Long-lived OAuth tokens were common practice across the industry, and for understandable reasons. Frequent token expiration creates friction: integrations break, users get logged out, automated workflows fail. The original design prioritized seamless access.
Today, the security model has shifted from “keep tokens safe” to “assume tokens will eventually leak and limit the blast radius when they do.” If tokens can live for years and are leaked at any point in that lifespan, they would remain exploitable far into the future. The window of vulnerability becomes the entire lifetime of the token.
That’s why we focused on solving this systemic issue immediately.
Immediate Remediation: What We Built in Weeks
When the advisory emerged, we immediately reprioritized our engineering efforts to accelerate security hardening and risk reduction across the platform, while continuing to support our customers and ongoing product development.
Access and Credential Security:
Rotated all system credentials and tokens to eliminate any potential compromise
Enforced multi-factor authentication (MFA) for all users
Deleted unused or stale access keys
Deployed solutions to scan for and secure sensitive credentials
OAuth Token Lifecycle Management: Our CEO Chuck Ganapathi wrote in detail about the four major OAuth enhancements we implemented: automatic token rotation (tokens now refresh every few hours), refresh token protection (each refresh token works only once), trusted IP range restrictions, and Proof Key for Code Exchange (PKCE) for the authentication flow. These protections would now block, or materially limit, the attack pattern we observed.
Beyond OAuth and credential management, we used this moment to strengthen several foundational layers of our security stack:
Data Protection:
Expanded encryption-in-transit coverage across internal load balancers
Enabled and enforced encryption for message queues across environments
Hardened storage policies to prevent overly permissive access
Network Security:
Implemented geo-restrictions at our Web Application Firewall, API Gateways, and content delivery networks
Restricted access to cloud resources to only essential personnel and services
Monitoring and Detection:
Enhanced audit logging to capture more detailed security events
Improved alerting capabilities to detect and respond to threats faster
In parallel, we broadened our security review beyond the scope of this advisory and made additional hardening improvements across the platform.
From Remediation to Long-Term Hardening
Beyond immediate remediation, we’re executing a comprehensive security roadmap that raises standards across our entire platform. This work focuses on structural improvements that reduce risk across product, infrastructure, and operations.
1. Product Security: Completing CASA Tier 3 assessment, meeting ASVS level 2 standards, embedding security earlier in development, and increasing security gates to proactively detect and address flaws before production.
2. DevSecOps: Working toward SLSA level 3 for software supply chain security, hardening cloud configurations, enhancing secrets management in pipelines, and reducing credential lifespans across the board.
3. Enterprise Security: Reviewing and updating our overall security strategy, increasing training frequency, enhancing privileged access controls, and refining vulnerability management processes.
4. Operations: Strengthening zero trust architecture, increasing real-time monitoring capabilities, enhancing detection systems, and increasing the frequency and rigor of incident response testing.
What This Means Going Forward
Gainsight data is secure. Based on the investigation and available telemetry, we found no evidence of compromise of Gainsight systems or customer data exfiltration from our environments. Salesforce detected and contained the suspicious OAuth token activity on their side.
The systemic issue has been addressed. We have revoked legacy tokens, implemented frequent rotation and additional protections, and the pattern observed here would now be blocked or materially limited.
The platform is materially stronger today. We accelerated security enhancements across our roadmap, and that work was validated by independent third-party experts who investigate compromised systems for a living.
The Response and the Road Ahead
The investigation has concluded, and the priority security hardening work is substantially complete. Salesforce has reconnected our integration, and we are now focused on restoration and ensuring every customer is fully operational.
Some advisories have a tangible root cause, like a phishing email or a misconfigured server. This one did not. It combined a systemic issue around token longevity with a historical event that fell outside our forensic visibility. What we can say definitively is that the systemic issue is fixed, the platform is secure, and it is significantly hardened.
Throughout this process, we have prioritized transparency, sharing indicators of compromise, holding frequent office hours, and publishing findings as quickly as we responsibly could. That commitment continues, and I hope this article provides clarity on both the incident and our response.
– Prem Parameswaran, CTO, Gainsight