Full Report
Salesforce has warned of detected "unusual activity" related to Gainsight-published applications connected to the platform. "Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app's connection," the company said in an advisory. The cloud services firm said it has taken the step of revoking all active access and refresh
Analysis Summary
# Incident Report: Unauthorized Data Access via Compromised Third-Party OAuth Tokens
## Executive Summary
Salesforce detected "unusual activity" linked to Gainsight-published applications utilizing OAuth connections to the platform, leading to unauthorized access to certain customer data. Threat actors, suspected to be associated with the ShinyHunters group, exploited this vector across both Gainsight and previously targeted Salesloft integrations, compromising nearly 1000 organizations. Salesforce responded by revoking all active access and refresh tokens related to the affected applications and temporarily listing them off the AppExchange.
## Incident Details
- Discovery Date: November 21, 2025 (Date of advisory)
- Incident Date: Prior to November 21, 2025; part of an "emerging campaign."
- Affected Organization: Salesforce customers utilizing Gainsight-published applications with active OAuth connections.
- Sector: Technology / SaaS
- Geography: Not disclosed, but likely global due to Salesforce/Gainsight customer base.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but occurred as part of an ongoing campaign targeting OAuth tokens.
- Vector: Compromised third-party SaaS integrations (specifically Gainsight-published apps connected via OAuth).
- Details: Attackers leveraged existing, trusted OAuth connections between Gainsight applications and customer Salesforce instances.
### Lateral Movement
- N/A based on provided data. The focus was on exploiting authorized access granted via OAuth tokens.
### Data Exfiltration/Impact
- Date/Time: Prior to detection/advisory.
- Details: Unauthorized access to certain customers' Salesforce data was achieved through the application's connection. This mirrors a previous attack where business contact details (names, business emails, phone numbers), regional/location details, product licensing information, and support case details (excluding attachments) were stolen.
### Detection & Response
- Date/Time: Detected by Salesforce, leading to the advisory on November 21, 2025.
- Details: Salesforce identified "unusual activity." Response actions included revoking all active access and refresh tokens for Gainsight-published applications and temporarily removing them from the AppExchange while investigations continued. Gainsight also pulled the app from the HubSpot Marketplace out of caution.
## Attack Methodology
- Initial Access: Exploitation of trusted third-party application authorization (OAuth tokens).
- Persistence: Not specified, though continued access was likely maintained via the compromised long-lived refresh tokens typical of OAuth flows, until revoked.
- Privilege Escalation: Not explicitly detailed, relying on the inherent permissions granted to the third-party application.
- Defense Evasion: Not specified, but leveraging valid OAuth credentials inherently evades standard perimeter defenses.
- Credential Access: N/A (Focus on token access, not traditional credential theft).
- Discovery: N/A (Focus on leveraging existing access).
- Lateral Movement: N/A (Focus on data access within the authorized OAuth scope).
- Collection: Gathering business contact details, licensing info, and support case data from Salesforce instances.
- Exfiltration: Not specified.
- Impact: Unauthorized data access and confirmed data theft impacting potentially nearly 1000 organizations across multiple affected integrations (Gainsight & Salesloft).
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Business contact details (names, emails, phone numbers), product licensing information, and support case contents. Potentially nearly 1000 organizations impacted across the ShinyHunters campaign waves (including Salesloft/Gainsight).
- Operational: Temporary functional impact on customers relying on Gainsight integration while tokens were revoked. Gainsight application temporarily pulled from AppExchange and HubSpot Marketplace.
- Reputational: Negative impact on trust in third-party SaaS integration security.
## Indicators of Compromise
- Network indicators: N/A
- File indicators: N/A
- Behavioral indicators: "Unusual activity" logged against Gainsight-published application connections within the Salesforce environment. Abuse of active OAuth refresh/access tokens.
## Response Actions
- Containment: Revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce.
- Eradication: Temporarily removing affected applications from the Salesforce AppExchange and Gainsight from the HubSpot Marketplace pending investigation.
- Recovery: Customers advised to review all third-party applications, revoke suspicious tokens, and rotate credentials.
## Lessons Learned
- Targeting of OAuth tokens for trusted third-party SaaS integrations is a growing and effective attack campaign vector (ShinyHunters campaign).
- Excessive permissions granted to third-party integrations (even trusted ones) pose significant inherent risk.
- The security posture of downstream vendors (like Gainsight might have been compromised previously, potentially leading to this chain) can directly impact platform security.
## Recommendations
- Organizations must immediately review and audit *all* third-party applications connected to critical platforms like Salesforce via OAuth.
- Implement stricter scope limitations for application tokens where possible.
- Regularly revoke and rotate access/refresh tokens for third-party integrations, especially if anomalous behavior is noted.
- Proactively monitor API and OAuth usage logs for unexpected peaks or unusual data retrieval patterns originating from integrated applications.