Salesforce disclosed a security incident on November 19, 2025, involving unusual activity in Gainsight-published applications that enabled unauthorized access to specific customers’ Salesforce data through connected integrations.
The company detected suspicious behavior in third-party apps that customers install and manage independently, prompting the immediate revocation of all active access and refresh tokens.
Gainsight apps were temporarily pulled from the Salesforce AppExchange, and affected customers received direct notifications as the probe continues.
No evidence points to a Salesforce platform vulnerability; the issue stems from external connections in the apps.
Google Threat Intelligence Group (GTIG) confirmed that over 200 Salesforce instances may be affected by this supply-chain attack linked to the ShinyHunters (UNC6240) actors.
Hackers reportedly exploited stolen authentication tokens from a prior Salesloft Drift campaign in which Gainsight was compromised, enabling pivots into linked Salesforce orgs to exfiltrate data.
Attackers abused OAuth scopes in Gainsight-connected apps, potentially granting excessive permissions to Salesforce objects such as customer records.
Salesforce’s response included revoking the token to block ongoing access, as well as forensic analysis by Mandiant that confirmed the breach originated externally.
Gainsight halted additional integrations with HubSpot and Zendesk out of caution, noting that no direct suspicious activity has been observed there yet.
Security experts urge auditing connected apps: navigate to Setup > Apps > Connected Apps, filter for “Gainsight,” review scopes against least-privilege, and rotate credentials immediately.
Check login history, API logs, and event logs for anomalies, such as unusual data exports, during the window (pre-November 19).
Enforce MFA, IP allowlisting, and session policies on integration users to prevent recurrence.
This incident highlights SaaS supply chain risks, where third-party tokens serve as a new attack vector, echoing prior OAuth exploits in Drift and Oracle integrations.
Salesforce continues to update on its Trust site, emphasizing that there is no core platform flaw.
Organizations should run OAuth assessments and monitor for extortion sites from Scattered Lapsus$ Hunters, who claimed responsibility.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…