Salesforce has issued an alert after identifying unusual behavior involving applications published by Gainsight that integrate with the Salesforce platform. According to the company, the suspicious activity may have allowed unauthorized access to some customers data through the affected applications.
In response, Salesforce has revoked all active access and refresh tokens tied to Gainsight published apps and has also taken these apps offline from the AppExchange while the investigation continues. Although the company did not specify how many customers were impacted, it confirmed that all affected organizations have been informed.
Salesforce emphasized that the event was not caused by a vulnerability within the Salesforce platform itself. Instead, the activity appears to stem from the external connection between the Gainsight applications and Salesforce.
Gainsight Apps Temporarily Disabled Across Multiple Platforms
As a precaution, the Gainsight application has also been removed from the HubSpot Marketplace. In addition, Zendesk connector access linked to Gainsight integrations has been disabled. Gainsight noted that this could temporarily affect OAuth based connections for customers, although no suspicious activity has been detected in HubSpot so far.
In a LinkedIn statement, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), described the situation as part of an emerging campaign. The attacks appear to target OAuth tokens associated with Gainsight published applications connected to Salesforce, potentially enabling unauthorized data access.
Possible Connection to ShinyHunters Group
The activity is suspected to be linked to threat actors associated with ShinyHunters, also known as UNC6240. This group recently carried out a similar OAuth token based attack on Salesloft Drift instances in August.
According to DataBreaches.Net, ShinyHunters has claimed responsibility for the ongoing campaign, stating that both the Salesloft and Gainsight attacks enabled them to obtain data from nearly 1000 organizations.
Gainsight previously acknowledged being a victim in the earlier Salesloft Drift attack, but it is still unclear whether that breach contributed to the current incident.
Details of Previous Compromise
In the earlier intrusion, attackers accessed business related Salesforce contact data including names, business email addresses, phone numbers, regional or location details, product licensing information, and support case contents, though attachments were not accessed.
Security Experts Recommend Reviewing OAuth Integrations
Researchers warn that adversaries are increasingly focusing on OAuth tokens used by trusted third party SaaS integrations due to their access privileges and widespread use.
Organizations are advised to review all external applications connected to Salesforce, revoke tokens for suspicious or unused integrations, and rotate credentials promptly if any unusual activity is detected.
