Salesforce has issued a critical security alert after detecting unusual activity involving Gainsight-published applications connected to customer environments. The CRM giant’s investigation suggests that attackers exploited OAuth tokens and digital keys to gain unauthorized access to Salesforce data through external app connections.
Immediate Response by Salesforce
To contain the threat, Salesforce:
- Revoked all active access and refresh tokens linked to affected Gainsight apps.
- Temporarily removed Gainsight apps from AppExchange.
Salesforce clarified that this incident does not involve a vulnerability in its core platform. Instead, attackers exploited the trust relationship between Salesforce and third-party integrations, a growing concern in SaaS ecosystems.
How the Attack Happened
The breach leveraged compromised OAuth tokens, which allow apps to access data without sharing user credentials. This mirrors tactics used in the August 2025 Salesloft Drift campaign, where attackers bypassed authentication to access CRM-layer data such as:
- Business contacts
- Case logs
- Customer records
Gainsight previously acknowledged exposure during the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause of this new attack.
The Perfect Attack Chain
Threat actors combined:
- Stolen OAuth tokens
- Over-permissioned applications
This created a “perfect attack chain” that bypassed traditional perimeter defenses. Security researchers have linked this campaign to ShinyHunters (UNC6040), a group notorious for targeting SaaS ecosystems using:
- Social engineering
- Pivoting from one compromised vendor to another
Supply Chain Blast Radius
From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “blast radius” event, where one compromised vendor becomes a gateway into dozens of downstream environments. In modern SaaS ecosystems, risk does not travel linearly—it fans out, creating exponential exposure from a single point of failure.
What Organizations Should Do
If you use Gainsight integrations, assume your current connections are compromised until re-authenticated. Immediate steps:
- Audit all connected apps in your Salesforce instance.
- Remove or restrict integrations that do not require wide API access.
- Rotate OAuth tokens immediately.
- Treat any token with broad permissions as high-risk.
- Harden approval processes for new integrations to prevent social engineering attacks.
Expert Insight
Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite, told:
“This wasn’t a breach of Salesforce’s core platform. Attackers linked to ShinyHunters exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments.”
He added:
“Gainsight had already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access CRM-layer data across many organizations.”
