Salesforce has issued a security advisory confirming unauthorized access to customer data via third-party applications published by Gainsight.
The disclosure reignites serious concerns over the systemic abuse of OAuth integrations, an attack vector that has already facilitated massive data breaches across the Salesforce ecosystem in recent months.
The alert, published earlier today, states that Salesforce detected “unusual activity” involving Gainsight-published applications installed by customers from the AppExchange. These applications, once authorized, allowed attackers to connect externally and access Salesforce data without exploiting a vulnerability in the platform itself. In immediate response, Salesforce revoked all active and refresh tokens associated with the impacted Gainsight apps and pulled them from the AppExchange pending further investigation.
This latest breach marks a continuation of tactics seen in earlier campaigns attributed to threat actor clusters such as UNC6040 and UNC6395, as well as the Scattered LAPSUS$ Hunters extortion group. These actors employed social engineering, infrastructure anonymization, and OAuth token abuse to infiltrate Salesforce environments via third-party or impersonated applications. In many cases, the attackers tricked victims into approving rogue apps that resembled Salesforce tools, such as Data Loader, or leveraged legitimate integrations like Drift from Salesloft.
Last month, the group began leaking terabytes of data stolen from over 50 companies, much of it exfiltrated through Salesforce-connected apps. Victims included major global brands like Qantas, FedEx, Disney, Cisco, and Walgreens. Leaked records contained personally identifiable information (PII), including birth dates, social security numbers, and corporate secrets.
Now, with Gainsight’s applications implicated in a new round of unauthorized access, fears are mounting that the same or closely related threat actors may be continuing their campaigns using fresh entry points, although this hasn’t been confirmed yet.
Salesforce, a dominant provider of cloud-based CRM software used by over 150,000 businesses worldwide, supports a sprawling ecosystem of third-party integrations via its AppExchange. These integrations rely heavily on OAuth for delegated access, a mechanism that allows apps to act on behalf of users once granted permission. While this model simplifies workflows, it has also created a lucrative target for threat actors who exploit the trust placed in these apps.
Gainsight, the implicated vendor in this breach, offers customer success tools that integrate directly with Salesforce to sync data and automate outreach. These tools are widely deployed among enterprise Salesforce customers. Because the affected apps are installed and managed by customers, security oversight varies across implementations, and attackers can exploit weaker configurations or social engineering to bypass organizational defenses.
Salesforce has emphasized that the issue does not stem from a flaw in its own platform, instead pointing to the external nature of the OAuth connections. However, it has now become clear that the platform’s reliance on user-approved app integrations, with limited default visibility or automated risk scoring, leaves customers vulnerable.
Enterprises that rely on Salesforce should reassess the security of all authorized connected apps, especially those from smaller vendors or with less transparent access scopes, audit all connected apps in their Salesforce instances, and revoke unused or suspicious OAuth tokens.
Leave a Reply