Salesforce recently issued a security advisory alerting users to unauthorized access to customer data via third-party applications provided by Gainsight. This breach not only raises alarm bells across the user base but also highlights persistent vulnerabilities associated with OAuth integrations—an area already marked by significant data breaches within the Salesforce ecosystem in recent months.
According to the notification released earlier, Salesforce detected unusual activity tied to Gainsight applications executed within user environments of the AppExchange. Once these applications were authorized, attackers could establish external connections and access Salesforce data without directly breaching vulnerability in the platform itself. In response, Salesforce has annulled all active and refresh tokens related to the affected Gainsight applications and has since removed them from the AppExchange pending an extensive investigation.
This incident is regarded as a continuation of tactics utilized in previous breaches associated with threat actor groups such as UNC6040 and UNC6395, alongside the extortion group known as Scattered LAPSUS$ Hunters. These attackers often employ social engineering and infrastructure anonymization while exploiting OAuth token abuse to infiltrate Salesforce environments through either third-party or impersonated applications. Notably, victims were frequently misled into granting access to malicious apps disguised as legitimate Salesforce tools, like Data Loader or well-known integrations such as Drift from Salesloft.
In a notable previous attack, this same group began leaking terabytes of sensitive data drawn from more than 50 companies, including high-profile brands like Qantas, FedEx, Disney, Cisco, and Walgreens. The exposed data included personally identifiable information (PII), such as birth dates and social security numbers, along with corporate secrets. With Gainsight’s applications caught up in this latest breach, there is growing concern that similar actors may still be active, exploiting new vulnerabilities—a suspicion that remains unverified at this stage.
Salesforce, a leading provider of cloud-based customer relationship management (CRM) software relied upon by over 150,000 businesses globally, supports a vast third-party integration ecosystem facilitated by its AppExchange. These integrations heavily utilize OAuth for delegated access, enabling applications to act on user behalf once authorized. While this integration model streamlines workflows, it also opens a pathway for threat actors to exploit the inherent trust placed in these applications.
Gainsight, the vendor involved in this breach, offers customer success tools that integrate closely with Salesforce, designed to synchronize data and facilitate outreach. With these tools deployed widely among enterprise customers, security oversight can vary significantly based on individual implementations, allowing attackers to exploit weaker configurations or manipulate users through social engineering to sidestep organizational defenses.
Salesforce has articulated that the breach is not attributable to any faults within its own platform but stems from external OAuth connections instead. Yet it has become apparent that its dependency on user-approved app integrations, which come with limited default visibility and automated risk assessments, leaves customers exposed. Organizations leveraging Salesforce should urgently review the security of all authorized connected applications, particularly those from lesser-known vendors or those with unclear access permissions, and should revoke any unused or questionable OAuth tokens.
If you appreciated this article, follow us on X/Twitter and LinkedIn for more exclusive insights.
