Salesforce said it is investigating suspicious activity that may have allowed unauthorized access to customer environments using connected applications published by a software company called Gainsight, according to a security advisory Salesforce posted Wednesday evening.
Salesforce said the app connection may have allowed hackers to gain access to certain customers’ Salesforce data.
In response, Salesforce has “revoked all active and refresh tokens” linked to the Gainsight-published applications that are connected to Salesforce. In addition, the company has temporarily removed the applications from its AppExchange marketplace.
Researchers at Google Threat Intelligence Group said they have observed hackers linked to ShinyHunters compromising OAuth tokens to potentially gain unauthorized access to Salesforce customer instances.
“Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations,” Austin Larsen, principal threat analyst at GTIG, said in a LinkedIn post. “We saw this recently with the campaign targeting Salesloft Drift, and we are seeing it again now.”
During the Salesloft Drift campaign, hackers targeted hundreds of organizations using the AI-based application to harvest credentials for potential follow-on attacks.
Salesforce and Mandiant, the incident response unit of GTIG, are notifying organizations that may have been impacted by the current threat campaign.
Gainsight said in a customer support post that it was working with Salesforce to investigate the issues that led to the tokens being revoked.
Salesforce said there is no indication the Gainsight activity is related to a vulnerability in the Salesforce platform.
GTIG researchers said security teams should audit their SaaS environments and review OAuth tokens for unused or suspicious applications. If any unusual activity is found, security teams should immediately rotate credentials.
Representatives of Gainsight and Salesforce were unavailable for comment