In an early morning advisory yesterday, Salesforce says it revoked refresh tokens linked to Gainsight-published applications while it investigates data theft and attacks targeting potentially hundreds of customers.
The company highlighted that the incident doesn’t originate from a vulnerability within its platform as all evidence is derived from malicious activity related to the Gainsight app’s external connection to Salesforce.
“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.
“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues,” Salesforce said in a Thursday morning advisory.
During the August 2025 Salesloft breach, “Scattered Lapsus$ Hunters” stole sensitive information from the customers of 760 companies using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce, resulting in the theft of 1.5 billion Salesforce records.
Thursday, ShinyHunters told Bleeping Computer they gained access to 285 Salesforce instances after breaching Gainsight via data stolen in the Salesloft drift breach.
Gainsight did not say how its customers’ access tokens may have been compromised, but previously said it was also one of the Salesloft Drift customers impacted in the previous attacks.
Gainsight has an update and FAQ page for customer support, while Salesforce has alerted all impacted customers of this incident.
John Carberry, Solution Sleuth, Xcape, Inc. had this to say:
“Salesforce’s confirmation that over 200 organizations were exposed through misconfigured Gainsight apps is another sobering reminder that your biggest danger in the SaaS world is frequently someone else’s integration.
“This incident demonstrates how long the tail of a supply-chain vulnerability can be. It builds immediately on the previous Salesloft/Drift breach, in which attackers allegedly stole OAuth tokens and are now utilizing that access to pivot into 285 Salesforce instances.
“Technically, Salesforce did the right thing by removing all Gainsight-related tokens and removing the apps from the AppExchange, but for customers, this highlights an unsettling reality. Even if the core platform isn’t vulnerable, over-privileged third-party apps can still gain access to your CRM crown jewels.
“This incident makes it abundantly evident that, even in cases when a core platform is secure, the broad permissions given to integrated applications that appear to be harmless continue to be the weakest link in the cloud ecosystem.
“Moving forward, companies must handle linked apps as high-risk identities. Inventory them, give them the least privilege required, keep an eye on their activity, and be prepared to quickly revoke trust when anomalous behavior is detected. Attackers will have easy access to your client data if you don’t regularly examine your SaaS integrations and tighten OAuth scopes.
“In 2025, the real zero day isn’t in your CRM; it’s in the third-party app you forgot was connected to it.”
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. followed up with this:
“It’s clear that once attackers succeed in a large-scale breach, it becomes progressively easier for them to leverage the compromised data and tokens to achieve additional attacks.
“The message for defenders is that patching the initially ‘broken’ door isn’t enough, you must thoroughly inspect every part of your environment to ensure the attackers cannot reuse access from a prior breach to open new doors.”
Denis Calderone CRO & COO, Suzu Labs adds this:
“We’ve been warning clients about this scenario for years, that the SaaS integration trust chain is almost always longer and more complex than anyone realizes.
“This is like a Russian nesting doll: Salesloft gets breached, which exposes Gainsight, which compromises 200+ Salesforce customers. You might know you’re using Gainsight, but do you know Gainsight integrates with Salesloft? That visibility gap is where these cascading breaches live.
“Organizations should focus heavily on OAuth hygiene and conditional access policies. Organizations need to continuously monitor OAuth token usage for abnormalities: unusual data volumes, unexpected geographic access, dormant tokens suddenly going active. When something doesn’t look right, automatically revoke refresh tokens. Don’t wait for vendor disclosure. If a token that’s been quiet for months suddenly pulls gigabytes of data, that’s your signal.
“And here’s the simple part: if you see a dormant OAuth token that hasn’t been used in 60 or 90 days, just revoke it. This will limit your blast radius with minimal impact on user experience.”
Supply chain attacks are starting to become as bad as ransomware as organizations are falling victim to these attacks left, right center. This reinforces that organizations need to take action to mitigate this threat right now.
Related
This entry was posted on November 21, 2025 at 2:58 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Salesforce confirms 200+ orgs impacted by another third party Gainsight breach
In an early morning advisory yesterday, Salesforce says it revoked refresh tokens linked to Gainsight-published applications while it investigates data theft and attacks targeting potentially hundreds of customers.
The company highlighted that the incident doesn’t originate from a vulnerability within its platform as all evidence is derived from malicious activity related to the Gainsight app’s external connection to Salesforce.
“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.
“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues,” Salesforce said in a Thursday morning advisory.
During the August 2025 Salesloft breach, “Scattered Lapsus$ Hunters” stole sensitive information from the customers of 760 companies using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce, resulting in the theft of 1.5 billion Salesforce records.
Thursday, ShinyHunters told Bleeping Computer they gained access to 285 Salesforce instances after breaching Gainsight via data stolen in the Salesloft drift breach.
Gainsight did not say how its customers’ access tokens may have been compromised, but previously said it was also one of the Salesloft Drift customers impacted in the previous attacks.
Gainsight has an update and FAQ page for customer support, while Salesforce has alerted all impacted customers of this incident.
John Carberry, Solution Sleuth, Xcape, Inc. had this to say:
“Salesforce’s confirmation that over 200 organizations were exposed through misconfigured Gainsight apps is another sobering reminder that your biggest danger in the SaaS world is frequently someone else’s integration.
“This incident demonstrates how long the tail of a supply-chain vulnerability can be. It builds immediately on the previous Salesloft/Drift breach, in which attackers allegedly stole OAuth tokens and are now utilizing that access to pivot into 285 Salesforce instances.
“Technically, Salesforce did the right thing by removing all Gainsight-related tokens and removing the apps from the AppExchange, but for customers, this highlights an unsettling reality. Even if the core platform isn’t vulnerable, over-privileged third-party apps can still gain access to your CRM crown jewels.
“This incident makes it abundantly evident that, even in cases when a core platform is secure, the broad permissions given to integrated applications that appear to be harmless continue to be the weakest link in the cloud ecosystem.
“Moving forward, companies must handle linked apps as high-risk identities. Inventory them, give them the least privilege required, keep an eye on their activity, and be prepared to quickly revoke trust when anomalous behavior is detected. Attackers will have easy access to your client data if you don’t regularly examine your SaaS integrations and tighten OAuth scopes.
“In 2025, the real zero day isn’t in your CRM; it’s in the third-party app you forgot was connected to it.”
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. followed up with this:
“It’s clear that once attackers succeed in a large-scale breach, it becomes progressively easier for them to leverage the compromised data and tokens to achieve additional attacks.
“The message for defenders is that patching the initially ‘broken’ door isn’t enough, you must thoroughly inspect every part of your environment to ensure the attackers cannot reuse access from a prior breach to open new doors.”
Denis Calderone CRO & COO, Suzu Labs adds this:
“We’ve been warning clients about this scenario for years, that the SaaS integration trust chain is almost always longer and more complex than anyone realizes.
“This is like a Russian nesting doll: Salesloft gets breached, which exposes Gainsight, which compromises 200+ Salesforce customers. You might know you’re using Gainsight, but do you know Gainsight integrates with Salesloft? That visibility gap is where these cascading breaches live.
“Organizations should focus heavily on OAuth hygiene and conditional access policies. Organizations need to continuously monitor OAuth token usage for abnormalities: unusual data volumes, unexpected geographic access, dormant tokens suddenly going active. When something doesn’t look right, automatically revoke refresh tokens. Don’t wait for vendor disclosure. If a token that’s been quiet for months suddenly pulls gigabytes of data, that’s your signal.
“And here’s the simple part: if you see a dormant OAuth token that hasn’t been used in 60 or 90 days, just revoke it. This will limit your blast radius with minimal impact on user experience.”
Supply chain attacks are starting to become as bad as ransomware as organizations are falling victim to these attacks left, right center. This reinforces that organizations need to take action to mitigate this threat right now.
Share this:
Like this:
Related
This entry was posted on November 21, 2025 at 2:58 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.