{"id":5902,"date":"2025-11-21T12:42:16","date_gmt":"2025-11-21T12:42:16","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5902"},"modified":"2025-11-21T12:42:16","modified_gmt":"2025-11-21T12:42:16","slug":"oauth-token-compromise-hits-salesforce-ecosystem-again-gainsight-impacted","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5902","title":{"rendered":"OAuth token compromise hits Salesforce ecosystem again, Gainsight impacted"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Salesforce has disclosed yet another security incident involving unauthorized access to customer data through compromised third-party applications, this time implicating Gainsight-published apps connected to its platform through OAuth integrations.<\/p>\n

Salesforce said it detected unusual activity involving Gainsight applications that integrate with its customer relationship management platform. \u201cUpon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues,\u201d a Salesforce spokesperson told CSO.<\/p>\n

The company emphasized that the issue does not stem from its platform. \u201cThere is no indication that this issue resulted from any vulnerability in the Salesforce platform,\u201d the spokesperson added. \u201cThe activity appears to be related to the app\u2019s external connection to Salesforce.\u201d<\/p>\n

Gainsight engages Mandiant for forensic investigation<\/h2>\n

Gainsight confirmed the incident in status page updates<\/a>, stating it has engaged Mandiant, a cybersecurity firm owned by Google Cloud, to assist in a comprehensive forensic investigation.<\/p>\n

\u201cOur current findings indicate that the activity under investigation originated from the applications\u2019 external connection \u2014 not from any issue or vulnerability within the Salesforce platform,\u201d the company said in a Thursday update.<\/p>\n

The customer success software vendor acknowledged that access to Gainsight via Salesforce remains unavailable. As a precautionary measure, Gainsight also disclosed that its Zendesk connector access has been revoked, and its app has been temporarily pulled from the HubSpot Marketplace.<\/p>\n

Google threat intelligence ties attack to ShinyHunters<\/h2>\n

The disclosure marks the latest chapter in an escalating pattern of attacks targeting OAuth tokens of trusted third-party SaaS integrations with Salesforce. According to Austin Larsen, principal threat analyst at Google Threat Intelligence Group, the campaign is tied to threat actors associated with ShinyHunters. This notorious extortion group has repeatedly targeted the Salesforce ecosystem over the recent months.<\/p>\n

\u201cOur team at Google Threat Intelligence Group has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances,\u201d Larsen said in a LinkedIn post<\/a>. \u201cSalesforce and Mandiant are actively notifying potentially affected organizations.\u201d<\/p>\n

Larsen noted the incident mirrors the recent campaign targeting Salesloft Drift<\/a>, where adversaries exploited OAuth tokens of legitimate SaaS integrations to bypass traditional security controls.<\/p>\n

According to DataBreaches.net, ShinyHunters has confirmed<\/a> involvement in the Gainsight campaign and claims the combined Salesloft and Gainsight campaigns affected almost 1,000 organizations, with victims including Verizon, GitLab, F5, and SonicWall.<\/p>\n

However, neither Salesforce nor Gainsight attributed this incident to ShinyHunters.<\/p>\n

August breach enabled a cascading attack<\/h2>\n

The technical connection between the current incident and the August breach became clearer through analysis from Nudge Security, a SaaS security platform. According to Nudge Security\u2019s security alert<\/a>, ShinyHunters obtained Gainsight OAuth tokens through secrets stolen from Salesloft\/Drift support case data. Using those compromised tokens, the attackers allegedly issued refresh tokens for up to 285 Salesforce instances linked to Gainsight.<\/p>\n

The Salesloft Drift breach in August exposed approximately 760 companies to data theft, with attackers stealing OAuth tokens and using them to access Salesforce instances across hundreds of organizations. Victims included major enterprises such as Google, Cloudflare, Qantas, Cisco, and TransUnion. Gainsight itself was among the victims of that earlier campaign.<\/p>\n

Supply chain risks in SaaS integrations<\/h2>\n

Gainsight, a customer success platform widely deployed among enterprise Salesforce customers, provides tools that integrate directly with Salesforce to sync customer data and automate engagement workflows. These integrations typically require OAuth access to account information, contact records, opportunity data, and usage metrics for health scoring and retention analytics.<\/p>\n

The incident underscores the growing risk posed by the supply chain of SaaS integrations, where a single compromised vendor can serve as a gateway into dozens of downstream environments.<\/p>\n

For CISOs and security teams, Larsen emphasized the need for immediate action beyond just the Gainsight incident. \u201cAll organizations should view this as a signal to audit their SaaS environments,\u201d he said, recommending that security teams regularly review all third-party applications connected to Salesforce instances, investigate and revoke tokens for unused or suspicious applications, and assume compromise if anomalous activity is detected.<\/p>\n

The attacks prove effective because OAuth tokens operate beneath traditional authentication layers, according to Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. \u201cOAuth token compromise is one of the most dangerous attack vectors in the modern SaaS ecosystem because it abuses trust rather than breaking through defences,\u201d Gogia said. \u201cOnce an attacker acquires a token, they gain the ability to impersonate a legitimate app or user at the API layer, where most enterprises have the least monitoring coverage.\u201d<\/p>\n

Most OAuth tokens are long-lived, often without expiration, and carry broader permissions than administrators realize, Gogia noted. \u201cBecause these tokens function as infrastructure rather than monitored user accounts, compromises enable silent, high-value data exfiltration over extended periods. The attacks don\u2019t behave like typical intrusions but rather operate with inherited legitimacy, making them particularly difficult to detect.\u201d<\/p>\n

This incident follows a series of Salesforce-related security events throughout 2025, including an AI agent vulnerability in September<\/a> that could be exploited through prompt injection attacks, and configuration risks discovered in Salesforce Industry Cloud<\/a> that could expose encrypted customer information. In October, ShinyHunters launched a dedicated data leak site<\/a> attempting to extort Salesforce and its customers with stolen data from earlier campaigns.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Salesforce has disclosed yet another security incident involving unauthorized access to customer data through compromised third-party applications, this time implicating Gainsight-published apps connected to its platform through OAuth integrations. Salesforce said it detected unusual activity involving Gainsight applications that integrate with its customer relationship management platform. \u201cUpon detecting the activity, Salesforce revoked all active access […]<\/p>\n","protected":false},"author":0,"featured_media":5903,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5902"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5902"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5902\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5903"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}