Unauthorized Salesforce Data Access via Compromised Gainsight OAuth Integrations
November 26th, 2025
High
%20Exploited%20in%20the%20Wild.png)
Our Cyber Threat Intelligence Unit is monitoring a developing security incident involving unusual activity linked to Gainsight-published applications integrated with Salesforce. According to Salesforce, this activity may allow unauthorized access to certain customer data through affected third-party applications. As a containment measure, Salesforce has revoked all active access and refresh tokens associated with these apps and has temporarily removed them from the Salesforce AppExchange pending further review. Salesforce confirms that there is no vulnerability within the Salesforce platform itself. Instead, the issue stems from the external OAuth trust relationship with Gainsight-published integrations. Analysts from Google’s Threat Intelligence Group (GTIG) estimate that this activity matches tactics previously linked to the ShinyHunters threat group, tracked under various UNC designations (including UNC6240) in related Salesforce attacks such as the earlier Salesloft Drift campaign.
Technical Details
Attack Type: OAuth token compromise via trusted third-party integration.
Severity: High.
Vector: Abuse of access/refresh tokens granted to Gainsight-published applications.
Platform Impacted: Salesforce (via external OAuth integration).
Attack Chain:
Threat actors exploited the trust relationship within Gainsight-published apps to access Salesforce customer data using valid OAuth tokens.
Because the access originated from a legitimate, authorized, third-party app, traditional platform-level defenses were bypassed.
Salesforce found no evidence of exploitation of any Salesforce platform vulnerabilities, reinforcing the conclusion that the vector is external.
Containment Measures:
Salesforce has revoked all OAuth access and refresh tokens associated with Gainsight-published applications, as well as temporarily removed the affected apps from the Salesforce AppExchange.
Gainsight has temporarily removed its integration from the HubSpot Marketplace and revoked access for its Zendesk connector, warning organizations of possible OAuth disruptions during investigation.
Attribution:
GTIG analysts identify substantial overlap with previous OAuth-token-abuse campaigns attributed to ShinyHunters, including playbook similarity with the earlier Salesloft Drift compromise.
Adversaries continue to pivot toward token-based persistence across SaaS ecosystems, evading MFA, IP restrictions, and platform exploit detection.
Impact
Unauthorized access to Salesforce customer data via Gainsight app connections.
Compromise of OAuth tokens, allowing persistent access until revoked.
Possible exposure of Salesforce CRM-layer data, such as business contact and case information.
In previous, closely related ShinyHunters campaigns (including Salesloft Drift and Gainsight’s earlier exposure), attackers accessed names, business email addresses, phone numbers, regional/location details, licensing information, and support case contents.
Operational disruption for organizations relying on Gainsight integrations due to token revocation and app removal from marketplaces.
Supply-chain style risk: The issue arises from a trusted third-party integration rather than the Salesforce platform.
This incident reinforces the fragility of SaaS-to-SaaS trust chains and highlights the need for continuous monitoring of OAuth-based integrations.
Detection Method
Audit Salesforce’s Connected Apps section for all Gainsight-published applications.
Identify unexpected, unused, or unrecognized integrations and revoke associated OAuth tokens.
Examine Salesforce event logs and OAuth token usage for anomalies, including:
Access outside business hours.
Sudden spikes in API calls.
Data export events originating from Gainsight integrations.
Correlate OAuth activity with known ShinyHunters behavioral patterns (e.g., immediate data extraction post-token theft).
Use SaaS-security posture management (SSPM) tools or identity monitoring to:
Track OAuth token lifespan.
Detect scope misuse.
Flag excessive or unusual API activity.
Identify third-party apps requesting risky permissions.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediate Token Review & Revocation: Revoke all Gainsight OAuth tokens in your Salesforce tenant, especially if the application hasn’t been used recently or is not business critical.
Audit Third-Party Applications: Review all connected third-party integrations in Salesforce (not just Gainsight) and enforce:
Least-privilege OAuth scopes.
Periodic token reviews.
Removal of unused or legacy integrations.
Establish a SaaS supply-chain governance process of continuous risk review of integrations across Salesforce, HubSpot, Zendesk, and similar platforms.
Track updates from Salesforce, Gainsight, and GTIG as the investigation develops.
Conclusion
Salesforce’s discovery of unusual activity linked to Gainsight-published applications highlights the growing threat of OAuth token misuse in third-party SaaS environments. While Salesforce confirms that its platform remains unaffected, the compromise of trusted external integrations (likely connected to ShinyHunters’ ongoing token-theft campaigns) shows how attackers continue to target the weakest links in SaaS supply chains. Salesforce’s extensive token revocation and application removal emphasize the severity of this incident. We urge organizations to act quickly: review all connected apps, revoke unused or suspicious tokens, rotate credentials, and enhance governance around OAuth integrations to mitigate associated risks.