Salesforce Confirms that Customers\u2019 Data Was Accessed Following the Gainsight Breach
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Salesforce has issued a critical security alert identifying \u201cunusual activity\u201d involving Gainsight-published applications connected to customer environments.<\/p>\n
The CRM giant\u2019s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications\u2019 external connections.<\/p>\n
In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.\u200b<\/p>\n
Salesforce explicitly stated<\/a> that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.<\/p>\n The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.<\/p>\n This mirrors the tactics used in the August 2025 campaign<\/a> involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.\u200b<\/p>\n Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a \u201cperfect attack chain\u201d that bypasses traditional perimeter defenses.\u200b<\/p>\n Security researchers have linked this campaign to ShinyHunters<\/a> (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.<\/p>\n From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a \u201csupply-chain blast radius\u201d event, where a single compromised vendor serves as a gateway into dozens of downstream environments.<\/p>\n Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.\u200b<\/p>\n Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.<\/p>\n It is critical to rotate vendor OAuth tokens<\/a> immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering<\/a> to get malicious apps approved. <\/p>\n Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com \u201cthat this wasn\u2019t a breach of Salesforce\u2019s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there\u2019s an important pattern here\u201d.<\/p>\n \u201cGainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed\u201d.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Salesforce Confirms that Customers\u2019 Data Was Accessed Following the Gainsight Breach<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSalesforce Gainsight Breach<\/strong><\/h2>\n