Nov 21, 2025Ravie LakshmananData Breach / SaaS Safety
Salesforce has warned of detected “uncommon exercise” associated to Gainsight-published purposes linked to the platform.
“Our investigation signifies this exercise could have enabled unauthorized entry to sure clients’ Salesforce information by the app’s connection,” the corporate stated in an advisory.
The cloud providers agency stated it has taken the step of revoking all lively entry and refresh tokens related to Gainsight-published purposes linked to Salesforce. It has additionally quickly eliminated these purposes from the AppExchange as its investigation continues.
Salesforce didn’t disclose what number of clients had been impacted by the incident, however stated it has notified them.
“There isn’t a indication that this concern resulted from any vulnerability within the Salesforce platform,” the corporate added. “The exercise seems to be associated to the app’s exterior connection to Salesforce.”
Out of an abundance of warning, the Gainsight app has been quickly pulled from the HubSpot Market. “This may increasingly additionally affect Oauth entry for buyer connections whereas the assessment is happening,” Gainsight stated. “No suspicious exercise associated to Hubspot has been noticed at this level.”
In a put up shared on LinkedIn, Austin Larsen, principal menace analyst at Google Menace Intelligence Group (GTIG), described it as an “rising marketing campaign” focusing on Gainsight-published purposes linked to Salesforce.
The exercise is assessed to be tied to menace actors related to the ShinyHunters (aka UNC6240) group, mirroring an analogous set of assaults focusing on Salesloft Drift cases earlier this August.
In keeping with DataBreaches.Web, ShinyHunters has confirmed the marketing campaign is their doing and said that the Salesloft and Gainsight assault waves allowed them to steal information from almost 1000 organizations.
Apparently, Gainsight beforehand stated it was additionally one of many Salesloft Drift clients impacted within the earlier assault. However it’s not clear at this stage if the sooner breach performed a job within the present incident.
In that hack, the attackers accessed enterprise contact particulars for Salesforce-related content material, together with names, enterprise e mail addresses, telephone numbers, regional/location particulars, product licensing data, and assist case contents (with out attachments).
“Adversaries are more and more focusing on the OAuth tokens of trusted third-party SaaS integrations,” Larsen identified.
In mild of the malicious exercise, organizations are suggested to assessment all third-party purposes linked to Salesforce, revoke tokens for unused or suspicious purposes, and rotate credentials if anomalies are flagged from an integration.
