Salesforce Probes Gainsight OAuth Anomalies as SaaS Token Attacks Escalate

Salesforce is looking into unusual OAuth activity associated with Gainsight integrations after observing behavior that might have revealed customer data. Initial indications suggest a deliberate effort on the part of a threat group responsible for previous SaaS-oriented attacks.

A quiet integration turns into a loud security alert

What started as the regular background traffic between Salesforce and a popular app in Gainsight has since developed into a full-blown security investigation. Salesforce confirmed unusual activity transiting through OAuth connections linked to applications published by Gainsight, and per the company, this behavior may have allowed unauthorized access to customer data through those integrations.

In step with observance, Salesforce removed access tokens and refresh tokens for all active sessions related to those applications. As part of this effort, the impacted applications were also removed from the AppExchange, while investigators continue to parse through the transaction logs. Salesforce did not confirm how many customer accounts were impacted but did confirm that affected organizations had been notified.

Salesforce did state that nothing in its own platform appeared to be compromised per evidence at hand. Rather, the incident appeared to originate from an external connection to a third-party application.

Ripple Effect Reaches HubSpot Marketplace

Gainsight has basically pulled the plug on its app in HubSpot Marketplace, and it's doing so for now. They are warning customers that some OAuth connections may start to fail while we review things, and when that happens, it's going to be a temporary thing. Gainsight also confirmed to me that so far there's no apparent link to suspicious activity involving HubSpot.

Threat Intel Suggests ShinyHunters

Security analysts figure the latest go-round is similar to one earlier in the year that went after OAuth tokens being used by trusted SaaS integrations. Austin Larsen, the principal threat analyst, calls this another example of a larger pattern of attacks on OAuth tokens. Basically, it's just another chapter in this longer story of these attacks.

The behavior matches what we saw with the ShinyHunters group, also known as UNC6240. They were linked to an earlier breach of Salesloft and Drift, back in August. That one incident exposed business contact details, including name, email address, phone number, region, product licensing details, and all that other good stuff.

From what we know, ShinyHunters has indeed taken credit for this bigger campaign, claiming that they managed to collect data from nearly a thousand orgs through Salesloft & Gainsight. And yeah, Gainsight itself got hit in the earlier breach, but there's still no solid evidence linking the two events.

OAuth integrations draw growing attacker interest

OAuth tokens continue to be a prime target for attackers. These tokens allow apps to connect without sharing passwords, which makes them valuable if stolen. Attackers can use them to pull data, impersonate users, or move laterally across connected cloud services.

With the investigation still ongoing, security teams are being urged to review all third-party integrations connected to Salesforce. Experts advise removing unused or unfamiliar applications, revoking tokens that appear suspicious, and rotating credentials if logs show irregular access.

The incident underscores how convenient SaaS integrations can quickly become a security risk when authentication tokens fall into the wrong hands.

More For You

Microsoft’s Stealth Upgrade Reinvents Cloud Security

Cloudflare outage sends the internet into a brief spin 

GootLoader Returns with Sneaky Font Trick to Spread Malware Again

The Herodotus Trojan: How a new Android threat is outsmarting users and defenses