![Image Main](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHdytMLXEXAyU2NJK6I9fULfbh3_5LHXiwqUiFrPD9dP1oEttB2sIbilhx2JTfRV70qGw9NTB4 a4C3iqkAfnoR5m4lLxxKBNBWTI6DVQYP3wwHPQHFBkAec9GjKXpzFgMrne79uyQeVa31-yB4 vx1nG3FDWsCj3ZHxxLUfk17qAx95t0IeqCSPVu47pILv/s790-rw-e365/salesforce.jpg)

Security Alert for Unusual Activity in Gainsight Apps

Salesforce has issued a warning about detecting “unusual activity” related to apps published by Gainsight and connected to its platform. The company’s investigation suggests that this activity may have allowed unauthorized access to data of certain Salesforce customers through the third-party application connection.

In response to the incident, Salesforce has taken preventive measures:

  • Token Revocation: All active access and refresh tokens associated with Gainsight applications have been revoked.
  • Platform Removal: Gainsight apps have been temporarily removed from the AppExchange while the investigation continues.

Salesforce has notified affected customers, although it has not revealed the total number of victims. The company emphasized that “there is no indication that this issue resulted from any vulnerability in the Salesforce platform,” stating that the activity appears to be related to the “external application connection” to Salesforce.

ShinyHunters Attack and OAuth Exploitation

Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), has described the incident as an “emerging campaign” that aims to compromise third-party OAuth tokens to gain unauthorized access.

The activity has been linked to threat actors associated with the ShinyHunters group (also known as UNC6240). The group has confirmed the campaign and claimed to have stolen data from nearly 1,000 organizations through this wave of attacks, which includes both Gainsight and a previous incident with Salesloft Drift.

Attack Context and Compromised Data

The current attack on Gainsight mirrors a series of similar attacks that affected Salesloft Drift instances in early August. Interestingly, Gainsight was one of the Salesloft Drift customers affected in the previous attack, although it is unclear if that previous breach played a role in the current incident.

In the previous Salesloft attack, attackers accessed:

  • Business contact details (names, email addresses, phone numbers).
  • Regional and location information.
  • Product license data.
  • Support case content (no attachments).

Larsen highlights that adversaries are increasingly targeting OAuth tokens from trusted third-party SaaS integrations, underscoring a growing security risk in the connected application ecosystem.

Security Recommendations

In the face of malicious activity, organizations are encouraged to review all third-party applications connected to Salesforce. The following are the key recommended actions:

  • Review Integrations: Evaluate all third-party applications connected to the platform.
  • Revoke Tokens: Revoke tokens from applications that are not in use or that appear suspicious.
  • Rotate Credentials: Change credentials if anomalies are detected in any integration.

Conclusion

The Gainsight incident highlights the inherent risk of relying on third-party integrations. Although the core Salesforce platform was not the source of the vulnerability, the software supply chain (SaaS) remains a primary target for threat actors. The exploitation of third-party OAuth tokens is establishing itself as a key tactic for cybercriminals seeking to access sensitive data.

References

  • ShinyHunters Threat Group (UNC6240)
  • Google Threat Intelligence Group (GTIG) *Salesforce AppExchange
  • Gainsight
  • Salesloft Drift