Salesforce has announced that it detected unauthorized activity linked to OAuth connections created by applications published by Gainsight. These apps are widely used by Salesforce customers, and the unusual behavior raised concerns that some customer data may have been accessed without approval. Salesforce stressed that the incident is connected to third-party integrations, not to a flaw in the Salesforce platform itself.
After discovering the issue, Salesforce moved quickly and revoked all access and refresh tokens associated with Gainsight-published apps. This step immediately cut off the suspicious activity. The company also removed the affected Gainsight apps from its AppExchange while the investigation continues, ensuring no new customers could install them during the review.
According to security researchers, early analysis suggests that the activity may be connected to the threat actor group ShinyHunters, also known as UNC6240/UNC6395. This group has been involved in several large-scale attacks that target OAuth connections and SaaS integrations rather than core systems. The style of activity in this case appears similar to those earlier campaigns.
Salesforce has not yet confirmed exactly how many customers were impacted, but multiple independent reports suggest that over 200 Salesforce customer instances may have been involved. The company is still analyzing access logs and working directly with potentially affected customers to determine what data may have been viewed or taken.
Investigators note that the incident highlights a growing trend in cyberattacks. Rather than breaking into major platforms directly, attackers increasingly exploit trusted third-party apps that have broad access permissions. OAuth tokens, once compromised, allow attackers to move silently through connected systems without needing passwords or direct system access.
Because of this, Salesforce is advising customers to review all Gainsight-connected OAuth apps, check the permissions granted, rotate credentials, and look for any unusual access patterns in their logs. Customers are also encouraged to disable any integrations they are not actively using. These steps can help prevent attackers from re-using old access paths.
Security analysts say the incident appears to be targeted and deliberate, with attackers focusing specifically on token-based access routes. ShinyHunters has a history of using this method to gather large datasets from SaaS environments. Their activity often blends in with normal system traffic, making these incidents more difficult to detect.
Salesforce has stated that its investigation is ongoing and that it will continue sharing updates as more information is verified. Customers who may have been impacted have already been notified, and both Salesforce and Gainsight are working to fully understand the scope of the unauthorized access. The incident serves as a strong reminder of how important it is for organizations to regularly audit and secure all third-party integrations.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
