Salesforce has alerted its customers to a critical security incident involving unusual activity detected within Gainsight-published applications integrated with its platform. The company stated that this activity may have led to unauthorized access to certain customers’ Salesforce data through these connected applications. This development underscores the growing risks associated with third-party SaaS integrations and Salesforce data breach concerns.
The cloud giant has taken immediate action, revoking all active access and refresh tokens associated with the affected Gainsight applications. Furthermore, these applications have been temporarily removed from the Salesforce AppExchange as the investigation into the incident continues. Salesforce confirmed that impacted customers have been notified, though the exact number of affected organizations was not disclosed.
Salesforce Data Breach Investigation Focuses on Gainsight Integrations
Salesforce emphasized that this security event does not appear to stem from any vulnerabilities within its own platform. Instead, the company indicated that the unauthorized access was facilitated through the external connection of the Gainsight application. This suggests a targeted attack exploiting the trust placed in third-party integrations.
In a precautionary measure, Gainsight has also temporarily removed its application from the HubSpot Marketplace. Gainsight acknowledged that this action might affect OAuth access for customer connections while their review is underway. However, they reported no suspicious activity related to their HubSpot integrations at this time.
The scope of the breach is being actively investigated, with cybersecurity experts linking the activity to threat actors associated with the ShinyHunters group, also known as UNC6240. This aligns with previous reports of similar attacks targeting Salesloft and Drift instances earlier in August. Threat intelligence indicates these campaigns are part of an emerging trend of exploiting trusted third-party SaaS platforms.
Implications for SaaS Security and Data Protection
According to reports citing ShinyHunters, the group has claimed responsibility for both the Salesloft and Gainsight attacks, asserting that the combined operations allowed them to exfiltrate data from nearly 1,000 organizations. Notably, Gainsight itself was reportedly a customer of Salesloft and affected by the previous incident, raising questions about whether that prior breach played a role in the current vulnerability.
Past attacks targeting Salesloft were reported to have compromised business contact details, including names, business email addresses, phone numbers, regional information, product licensing details, and support case content. While attachments were not mentioned as compromised in those previous incidents, the potential for sensitive information to be accessed remains a significant concern.
These ongoing security incidents highlight a critical trend: adversaries are increasingly targeting OAuth tokens for trusted third-party SaaS integrations. This strategy bypasses traditional security perimeters by leveraging existing, sometimes overly permissive, access granted to integrated applications. The interconnected nature of modern business software, while offering efficiency, also presents a larger attack surface.
In response to these findings and to mitigate further risk, organizations are strongly advised to conduct a thorough review of all third-party applications connected to their Salesforce instances. This includes revoking access tokens for any applications that are unused, appear suspicious, or have not undergone recent security audits. Rotating credentials for integrations where anomalies are detected is also a crucial step in bolstering security against emerging threats targeting SaaS security and preventing further Salesforce data breach events.
The next expected steps in this evolving situation will involve the outcomes of Salesforce and Gainsight’s ongoing investigations. A clearer understanding of the full extent of the data accessed, the specific vulnerabilities exploited, and the confirmed number of affected customers will be critical. Organizations should remain vigilant for any further advisories or updates from both Salesforce and Gainsight regarding remediation measures and enhanced security recommendations for third-party application integrations.