Salesforce has issued a critical security alert identifying “unusual activity” involving Gainsight-published applications connected to customer environments.
The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.
In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.
Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.
The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.
Salesforce Gainsight Breach
This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.
Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.
Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.
From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.
Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.
Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.
It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.
Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.
“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
