Update on Gainsight Ancillary Application Environments Security Investigation
Investigation Overview
As of December 7, 2025, CrowdStrike has completed its investigation into Gainsight application environments for Skilljar by Gainsight, Staircase AI by Gainsight, Customer Communities, Product Experience, and Northpass, (“Gainsight ancillary application environments”), following a security incident affecting the Gainsight Customer Success platform. This investigation was initiated after Salesforce notified Gainsight of suspicious token usage on November 21, 2025.
What Happened
On November 21, 2025, Salesforce alerted Gainsight to suspicious activity involving customer tokens in the Salesforce platform by an unauthorized third party. This activity was associated with Gainsight’s Customer Success application environment. Gainsight engaged Mandiant to investigate the Gainsight Customer Success environment, while CrowdStrike was separately retained to assess other Gainsight application environments including Skilljar by Gainsight, Staircase AI by Gainsight, Customer Communities, Product Experience, and Northpass.
Key Findings
CrowdStrike’s comprehensive investigation of the Gainsight ancillary application environments concluded on December 4, 2025, which determined:
- A comprehensive review of Indicators of Compromise (IOCs) provided by the Gainsight Customer Success environment investigation showed no connections from any known threat actor IP addresses to any of the Gainsight ancillary application environments.
- CrowdStrike performed an in-depth review of logs from all cloud service platforms in use for the Gainsight ancillary application environments (AWS, Microsoft Cloud, and Google Cloud) and found no activity consistent with unauthorized access, such as privilege escalations, suspicious resource provisioning, or other anomalous behaviors.
- CrowdStrike confirmed that all cloud service platforms (AWS, Microsoft Cloud, and Google Cloud), used for the Gainsight ancillary application environments are separate from the Gainsight Customer Success environment, and do not share an identity provider.
- CrowdStrike confirmed that all code management environments (GitHub and BitBucket) for Gainsight ancillary application environments are separate from the Gainsight Customer Success GitHub environment and do not share an identity provider.
- The only technical connection from Gainsight Customer Success to any Gainsight ancillary application environment identified was an existing, asynchronous, read-only data retrieval job from the Gainsight Customer Success application environment to a Skilljar S3 bucket. CrowdStrike validated that the access keys associated with this job were strictly configured for read-only access, preventing any lateral movement.
Response and Remediation Activities
Although the investigation confirmed that the Gainsight ancillary application environments were not compromised, we took several proactive and preventative measures to enhance our security posture, which were validated by CrowdStrike:
- GitHub Hardening: On November 24, 2025, we immediately revoked all Personal Access Tokens (PATs) in the Skilljar GitHub environment and set future PATs to expire automatically.
- Credential Rotation: On December 1, 2025, we rotated the credentials for the AWS IAM users that were shared for the read-only data job between Gainsight Customer Success and Skilljar.
- Security Review: CrowdStrike verified the read-only permissions for the API access keys and scanned the connected S3 bucket for secrets, confirming no secrets were exposed.
Based on the CrowdStrike investigation, the findings support that the Gainsight ancillary application environments were not impacted by the activity identified in the Gainsight Customer Success environment.
