Excerpt from BleepingComputer Article, Published on November 20, 2025
Salesforce is investigating suspicious activity linked to Gainsight – managed applications. The company reported that attackers used these apps to access some customer data. Salesforce clarified that its core platform remains secure and the incident came from integrations managed on the customer side.
Once the team noticed the unusual activity, Salesforce revoked all active and refresh tokens linked to the affected Gainsight apps. It also removed these apps from the AppExchange during the investigation. The company contacted all impacted customers and encouraged them to reach out for support if they need guidance.
Gainsight is also running its own investigation. It confirmed a connection issue on its status page but has not shared detailed findings. Both companies are now working together to understand how attackers gained access and what data they pulled.
Security analysts believe that this breach may connect to a previous OAuth – based attack. That earlier attack targeted Salesloft’s Drift integration and gave the threat group access to Salesforce customer data. Researchers linked that attack to the ShinyHunters group. They now see signs that the same group may be involved in the Gainsight incident as well.
Experts warn that these cases highlight a growing problem across SaaS platforms. Attackers often target third-party apps because these apps carry broad permissions. Even if the base platform stays secure, integrations create new entry points that attackers can exploit.
Organizations that use Salesforce should review their connected apps, remove unused integrations, and check OAuth scopes. They should also revoke tokens that look suspicious. Regular reviews can help reduce the risk of credential theft and unauthorized data access.
To delve deeper into this topic, Visit BleepingComputer .
