Salesforce has confirmed another third-party breach affecting Gainsight applications integrated with customer instances, enabling attackers to exfiltrate customer data.
“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers,” the company stated.
According to Google Threat Intelligence Group (GTIG), the attack has affected more than 200 organizations. Over 1,000 organizations, including some high-profile technology heavyweights, have Gainsight Salesforce integrations, potentially putting their downstream customers at risk of exploitation.
The attack also mirrors the Salesloft Drift OAuth hack, which impacted over 700 organizations, including the internet search giant. Ironically, Gainsight was also among the impacted organizations in the Salesloft data breach.
ShinyHunters strikes again in another Salesforce third-party breach
Google was impacted in the previous Salesloft third-party breach. Still, the internet search giant has attributed the Gainsight third-party breach to the same cybercrime gang responsible for breaching Salesloft Drift integrations, ShinyHunters, or UNC6240. The cybercrime gang claimed to have stolen over 1.5 billion records via the third-party breach.
Previously, the UNC6040 cluster used voice phishing and social engineering to trick employees into authorizing a rogue OAuth application mimicking Salesforce’s Data Loader application and exfiltrate data, compromising Google and dozens of other organizations in a parallel third-party breach.
Meanwhile, the exact nature of the stolen information, the number of affected individuals, and the attack vector exploited were not immediately available at the time of publication. As in the previous data breach, the company stressed that the third-party breach did not originate from any Salesforce product vulnerabilities.
“There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce,” the company said.
Instead, threat actors have devised ingenious ways to compromise third-party integrations to breach the technology giant without exploiting software vulnerabilities.
“Salesforce’s confirmation that over 200 organizations were exposed through misconfigured Gainsight apps is another sobering reminder that your biggest danger in the SaaS world is frequently someone else’s integration,” said John Carberry, Solution Sleuth, Xcape. “This incident demonstrates how long the tail of a supply-chain vulnerability can be. It builds immediately on the previous Salesloft/Drift breach, in which attackers allegedly stole OAuth tokens and are now utilizing that access to pivot into 285 Salesforce instances.”
Salesforce revokes Gainsight access tokens after third-party breach
After detecting the breach, Salesforce revoked the impacted access tokens used to integrate the Gainsight applications with customer instances. The company also launched an investigation, which determined that the attacker had exfiltrated customer data from Salesforce environments.
Gainsight detected the data breach after experiencing connection problems, likely after Salesforce revoked the integration access keys used to compromise customer instances.
“Technically, Salesforce did the right thing by removing all Gainsight-related tokens and removing the apps from the AppExchange, but for customers, this highlights an unsettling reality. Even if the core platform isn’t vulnerable, over-privileged third-party apps can still gain access to your CRM crown jewels,” added Carberry. “This incident makes it abundantly evident that, even in cases when a core platform is secure, the broad permissions given to integrated applications that appear to be harmless continue to be the weakest link in the cloud ecosystem.”
“Moving forward, companies must handle linked apps as high-risk identities. Inventory them, give them the least privilege required, keep an eye on their activity, and be prepared to quickly revoke trust when anomalous behavior is detected. Attackers will have easy access to your client data if you don’t regularly examine your SaaS integrations and tighten OAuth scopes,” advised Carberry.
Gainsight confirms data breach, apps also “temporarily” removed from HubSpot
Gainsight has acknowledged the breach and issued an advisory to impacted customers. It also promised to work with Salesforce to address the vulnerability and restore access to customer environments.
“We continue to work closely with Salesforce as they investigate the unusual activity that led to the revocation of access tokens for Gainsight-published applications,” it explained.
Although no suspicious activity has been detected on the HubSpot environment, Gainsight applications have also been temporarily pulled from the marketplace as a precautionary measure.
“No suspicious activity related to Hubspot has been observed at this point. These are precautionary steps only,” the company stated.
“This incident highlights the rise of a new ‘shadow data’ risk in SaaS ecosystems,” said Ron Reiter, CTO, Sentra. “OAuth tokens often inherit broad permissions from connected apps, and when those tokens are compromised, attackers gain legitimate visibility into sensitive data across multiple tenants.”
“The problem isn’t just stolen credentials; it’s a lack of data-centric oversight. Organizations need continuous visibility into which integrations can access what data, and whether those privileges remain appropriate over time. Without that context, even trusted connectors can become the weakest link in an otherwise secure environment,” noted Reiter.
