Salesforce says it has picked up unusual behaviour linked to Gainsight-published apps that customers deploy and manage in their own environments.
The company’s investigation shows that this activity may have allowed unauthorized access to some customers’ Salesforce data through the app’s integration path.
As soon as it detected the issue, Salesforce revoked every active access and refresh token tied to Gainsight apps and pulled those apps from the AppExchange while it continues the investigation.
There’s no indication that the Salesforce platform itself was compromised. The activity points to the app’s external connection rather than a platform vulnerability.
Salesforce has notified customers we know were affected and says it will keep sharing updates at the link provided.
During the August 2025 Salesloft breach, “Scattered Lapsus$ Hunters” stole sensitive information from the customers of 760 companies using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce, resulting in the theft of 1.5 billion Salesforce records.
Gainsight did not comment on how its customers’ access tokens may have been compromised, but said earlier it was also one of the Salesloft Drift customers impacted in the previous attacks.
Gainsight has an update and FAQ page for customer support, while Salesforce said customers who need help can reach out to Salesforce Help: https://help.salesforce.com/s.
An Unsettling Reality
John Carberry, Solution Sleuth at Xcape Inc, says this incident is another sobering reminder that your biggest danger in the SaaS world is frequently someone else’s integration, and highlights how long the tail of a supply-chain vulnerability can be.
“It builds immediately on the previous Salesloft/Drift breach, in which attackers allegedly stole OAuth tokens and are now utilizing that access to pivot into 285 Salesforce instances.”
He says although Salesforce did the right thing by removing all Gainsight-related tokens and removing the apps from the AppExchange, but for customers, this highlights an unsettling reality, that is even if the core platform isn’t vulnerable, over-privileged third-party apps can still gain access to a company’s CRM crown jewels. “This incident makes it abundantly evident that, even in cases when a core platform is secure, the broad permissions given to integrated applications that appear to be harmless continue to be the weakest link in the cloud ecosystem.
Moving forward, Carberry advises companies tohandle linked apps as high-risk identities. “Inventory them, give them the least privilege required, keep an eye on their activity, and be prepared to quickly revoke trust when anomalous behavior is detected. Attackers will have easy access to your client data if you don’t regularly examine your SaaS integrations and tighten OAuth scopes.”
“In 2025, the real zero day isn’t in your CRM; it’s in the third-party app you forgot was connected to it,” Carberry adds.
Patching the Broken Door Isn’t Enough
Lydia Zhang, President & Co-Founder of Ridge Security Technology, adds that it’s clear that once attackers succeed in a large-scale breach, it becomes progressively easier for them to leverage the compromised data and tokens to achieve additional attacks.
“The message for defenders is that patching the initially ‘broken’ door isn’t enough, you must thoroughly inspect every part of your environment to ensure the attackers cannot reuse access from a prior breach to open new doors.”
Denis Calderone CRO & COO at Suzu Labs, says: “We’ve been warning clients about this scenario for years, that the SaaS integration trust chain is almost always longer and more complex than anyone realizes.”
Like a Russian Nesting Doll
Calderone believes this is like a Russian nesting doll. “Salesloft gets breached, which exposes Gainsight, which compromises 200+ Salesforce customers. You might know you’re using Gainsight, but do you know Gainsight integrates with Salesloft? That visibility gap is where these cascading breaches live.”
He advises entities to focus heavily on OAuth hygiene and conditional access policies. “Organizations need to continuously monitor OAuth token usage for abnormalities: unusual data volumes, unexpected geographic access, dormant tokens suddenly going active. When something doesn’t look right, automatically revoke refresh tokens. Don’t wait for vendor disclosure. If a token that’s been quiet for months suddenly pulls gigabytes of data, that’s your signal. And here’s the simple part: if you see a dormant OAuth token that hasn’t been used in 60 or 90 days, just revoke it. This will limit your blast radius with minimal impact on user experience.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.