Salesforce has alerted its customers to a potential data breach involving Gainsight-published applications. The company detected unusual activity that may have led to unauthorized access to customer data through these third-party integrations. As a precautionary measure, Salesforce has revoked all associated access tokens and temporarily removed the affected applications from its AppExchange.

Key Takeaways

• Salesforce is investigating unauthorized data access potentially linked to Gainsight applications.

• All active and refresh tokens for Gainsight-published apps connected to Salesforce have been revoked.

• The affected Gainsight applications have been temporarily removed from the Salesforce AppExchange.

• The incident is believed to be related to compromised OAuth tokens, potentially by the ShinyHunters group.

• No vulnerability within the Salesforce platform itself is indicated.

Unauthorized Access Through Third-Party Integration

Salesforce has identified "unusual activity" involving Gainsight-published applications connected to its platform. In a security advisory, the company stated that this activity "may have enabled unauthorized access to certain customers' Salesforce data through the app's connection." Salesforce has taken immediate action by revoking all active access and refresh tokens associated with these Gainsight applications and has temporarily removed them from the AppExchange while the investigation continues.

Suspected Threat Actor and Attack Vector

Researchers from Google Threat Intelligence Group (GTIG) have linked this activity to threat actors associated with the ShinyHunters group (also known as UNC6240). This mirrors a similar campaign targeting Salesloft Drift instances earlier in August. The attack vector appears to involve the compromise of third-party OAuth tokens, which grant applications access to user data. ShinyHunters has reportedly claimed responsibility for both the Salesloft and Gainsight campaigns, stating that data from nearly 1,000 organizations may have been compromised across both incidents.

Salesforce Platform Integrity and Customer Notification

Salesforce has emphasized that there is no indication that this incident resulted from any vulnerability within the Salesforce platform itself. The issue is believed to stem from the external connection of the Gainsight app to Salesforce. The company has stated that it is notifying all affected customers and advises organizations to review all third-party applications connected to their Salesforce instances, revoke tokens for unused or suspicious applications, and rotate credentials if anomalies are detected.

Broader Implications and Recommendations

This incident marks another third-party breach affecting Salesforce customers this year, following the earlier Salesloft Drift attack. Experts highlight that threat actors are increasingly targeting OAuth tokens of trusted third-party SaaS integrations. Organizations are urged to audit their SaaS environments, regularly review third-party application connections, and implement robust security practices to mitigate risks associated with the software supply chain.

Sources

• Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity, The Hacker News.

• Salesforce alerts users to potential data exposure via Gainsight OAuth apps, Security Affairs.

• Salesforce investigating campaign targeting customer environments connected to Gainsight app, Cybersecurity Dive.

• Salesforce flags another third-party security incident • The Register, The Register.

• Salesforce customers face second third-party incident this year with Gainsight breach, IT Pro.