Salesforce has disclosed yet another security incident involving unauthorized access to customer data through compromised third-party applications, this time implicating Gainsight-published apps connected to its platform through OAuth integrations.
Salesforce said it detected unusual activity involving Gainsight applications that integrate with its customer relationship management platform. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues,” a Salesforce spokesperson told CSO.
The company emphasized that the issue does not stem from its platform. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the spokesperson added. “The activity appears to be related to the app’s external connection to Salesforce.”
Gainsight engages Mandiant for forensic investigation
Gainsight confirmed the incident in status page updates, stating it has engaged Mandiant, a cybersecurity firm owned by Google Cloud, to assist in a comprehensive forensic investigation.
“Our current findings indicate that the activity under investigation originated from the applications’ external connection — not from any issue or vulnerability within the Salesforce platform,” the company said in a Thursday update.
The customer success software vendor acknowledged that access to Gainsight via Salesforce remains unavailable. As a precautionary measure, Gainsight also disclosed that its Zendesk connector access has been revoked, and its app has been temporarily pulled from the HubSpot Marketplace.
Google threat intelligence ties attack to ShinyHunters
The disclosure marks the latest chapter in an escalating pattern of attacks targeting OAuth tokens of trusted third-party SaaS integrations with Salesforce. According to Austin Larsen, principal threat analyst at Google Threat Intelligence Group, the campaign is tied to threat actors associated with ShinyHunters. This notorious extortion group has repeatedly targeted the Salesforce ecosystem over the recent months.
“Our team at Google Threat Intelligence Group has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances,” Larsen said in a LinkedIn post. “Salesforce and Mandiant are actively notifying potentially affected organizations.”
Larsen noted the incident mirrors the recent campaign targeting Salesloft Drift, where adversaries exploited OAuth tokens of legitimate SaaS integrations to bypass traditional security controls.
According to DataBreaches.net, ShinyHunters has confirmed involvement in the Gainsight campaign and claims the combined Salesloft and Gainsight campaigns affected almost 1,000 organizations, with victims including Verizon, GitLab, F5, and SonicWall.
However, neither Salesforce nor Gainsight attributed this incident to ShinyHunters.
August breach enabled a cascading attack
The technical connection between the current incident and the August breach became clearer through analysis from Nudge Security, a SaaS security platform. According to Nudge Security’s security alert, ShinyHunters obtained Gainsight OAuth tokens through secrets stolen from Salesloft/Drift support case data. Using those compromised tokens, the attackers allegedly issued refresh tokens for up to 285 Salesforce instances linked to Gainsight.
The Salesloft Drift breach in August exposed approximately 760 companies to data theft, with attackers stealing OAuth tokens and using them to access Salesforce instances across hundreds of organizations. Victims included major enterprises such as Google, Cloudflare, Qantas, Cisco, and TransUnion. Gainsight itself was among the victims of that earlier campaign.
Supply chain risks in SaaS integrations
Gainsight, a customer success platform widely deployed among enterprise Salesforce customers, provides tools that integrate directly with Salesforce to sync customer data and automate engagement workflows. These integrations typically require OAuth access to account information, contact records, opportunity data, and usage metrics for health scoring and retention analytics.
The incident underscores the growing risk posed by the supply chain of SaaS integrations, where a single compromised vendor can serve as a gateway into dozens of downstream environments.
For CISOs and security teams, Larsen emphasized the need for immediate action beyond just the Gainsight incident. “All organizations should view this as a signal to audit their SaaS environments,” he said, recommending that security teams regularly review all third-party applications connected to Salesforce instances, investigate and revoke tokens for unused or suspicious applications, and assume compromise if anomalous activity is detected.
The attacks prove effective because OAuth tokens operate beneath traditional authentication layers, according to Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “OAuth token compromise is one of the most dangerous attack vectors in the modern SaaS ecosystem because it abuses trust rather than breaking through defences,” Gogia said. “Once an attacker acquires a token, they gain the ability to impersonate a legitimate app or user at the API layer, where most enterprises have the least monitoring coverage.”
Most OAuth tokens are long-lived, often without expiration, and carry broader permissions than administrators realize, Gogia noted. “Because these tokens function as infrastructure rather than monitored user accounts, compromises enable silent, high-value data exfiltration over extended periods. The attacks don’t behave like typical intrusions but rather operate with inherited legitimacy, making them particularly difficult to detect.”
This incident follows a series of Salesforce-related security events throughout 2025, including an AI agent vulnerability in September that could be exploited through prompt injection attacks, and configuration risks discovered in Salesforce Industry Cloud that could expose encrypted customer information. In October, ShinyHunters launched a dedicated data leak site attempting to extort Salesforce and its customers with stolen data from earlier campaigns.
No Responses