Skip to main content

Was Sentry affected by the Gainsight Connected App Incident?

  • Updated

Issue

Information regarding the latest Salesforce Gainsight breach that Sentry was partially impacted by.

Applies To

  • All organizations

Resolution

Q: Was Sentry affected by the Gainsight Connected App Incident?

A: A compromised OAuth token was used to make unauthorized API calls to our Salesforce environment; however, those API calls did not result in access to or exfiltration of any of our customers’ personal information or service data (i.e., data processed by the Sentry app).

Please read below for more details.

Summary:

On November 21, 2025, Sentry was alerted to unauthorized access involving a Gainsight application deployed within our Salesforce environment. Our investigation confirms that no customer personal information or service data was accessed or exfiltrated.

What Happened:

On November 21, 2025, we received  security notifications from Salesforce and Gainsight regarding suspicious activity involving a Gainsight application deployed in Sentry’s Salesforce environment. An OAuth token associated with that application was compromised and used to make unauthorized API calls to our Salesforce instance.

Although Sentry’s contract with Gainsight ended on August 15, 2025, and Sentry data stored by Gainsight was deleted shortly thereafter, the corresponding application was not deactivated in our Salesforce environment, which left us vulnerable to this incident.

Upon receiving this notification, Sentry’s Security team immediately initiated an investigation.

Proactively, upon discovering suspicious activity, Salesforce had already deactivated the application on November 20, 2025.

What We Found:

Review of Salesforce audit logs provided by Salesforce Support revealed several unauthorized queries to a single Salesforce user account on October 23, 2025. These queries were limited in scope and accessed only internal Salesforce metadata and a small number of employee-related fields (e.g., user role, title, name, email).

Our investigation confirmed:

  • No customer personal information or service data was accessed or exfiltrated.
  • No lateral movement or broader system access occurred (i.e., Sentry’s service itself was not affected by this incident).
  • Only limited Sentry employee Salesforce account data was queried.

As a precautionary measure, the Salesforce user account involved was deactivated on November 25, 2025.

What We Are Doing:

We have completed a full review of all available logs, validated that no customer impact occurred, and are improving our internal processes to ensure deprecated integrations are fully removed from all connected systems upon contract termination. We are also enhancing our monitoring and access controls across all third-party applications. In addition, we are taking the opportunity to reinforce  phishing training and awareness to our employees.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top