Salesforce is investigating a security incident after discovering unusual activity involving apps published by Gainsight, a customer-success software provider whose tools integrate directly with Salesforce environments. The company confirmed that hackers may have gained unauthorized access to some customersโ data through these third-party apps.
In an advisory published on Thursday, Salesforce emphasized that the incident did not arise from any vulnerability or flaw within its own platform. Instead, early findings point to the compromise of external connections created when customers installed and authorized Gainsight-published apps from Salesforceโs AppExchange marketplace.
Following the discovery, the company revoked all active access and refresh tokens tied to Gainsight-published apps and temporarily removed them from the AppExchange. Affected customers have been notified directly. Also, those requiring further assistance can contact the Salesforce Help team.
Links To Earlier Large-Scale OAuth Attacks
While Salesforce has not yet disclosed the full scope of the breach, the attack closely resembles the high-profile August breach at Salesloft, where the ShinyHunters group used stolen OAuth tokens to gain access to hundreds of Salesforce instances.
The same group now claims it accessed an additional 285 Salesforce environments via Gainsight, this time by abusing secrets and OAuth tokens allegedly obtained during the Salesloft breach โ leveraging them to compromise Gainsight integrations.
Gainsightโs Response And Ongoing Investigation
Gainsight has acknowledged on its status update page that it is working with Salesforce and has launched its own internal investigation. The company later confirmed it has engaged security firm Mandiant to assist it in its comprehensive, independent forensic investigation. However, it has yet to provide detailed information on the number of affected customers or the nature of the stolen data.
Gainsight was also among the companies compromised in the earlier Salesloft-linked attack, during which attackers accessed business contact information, licensing details, and support case content.
Whatโs Next
Salesforce says it is continuing to investigate and will share updates directly with affected customers. Gainsight maintains that its own review is ongoing and has not yet disclosed the full scope of the compromise.
Meanwhile, security experts urge Salesforce customers to immediately:
- Audit all connected third-party apps
- Review and revoke unnecessary or high-risk OAuth integrations
- Enable tighter access controls around third-party app permissions
- Monitor for suspicious activity tied to external connections
With attackers increasingly targeting third-party SaaS integrations rather than core platforms, this latest breach underscores the challenges of securing complex cloud ecosystems โ where even one compromised app can become an entry point to large-scale data breaches.
