Salesforce issued an urgent caution after noticing anomalous OAuth behavior associated with Gainsight-published applications that are connected to the Salesforce ecosystem. Salesforce believes the suspicious behavior may have resulted in illegal access to certain customers’ Salesforce data, raising new worries about the security of third-party SaaS integration.
What Happened?
Salesforce discovered behavior using OAuth tokens associated with Gainsight-published applications while conducting its ongoing investigation. OAuth tokens enable third-party apps to authenticate and access Salesforce resources on behalf of customers. When these tokens are hacked, attackers have the same level of access as the program itself—no passwords required.
Salesforce instantly revoked all active access and refresh tokens for Gainsight applications and temporarily withdrew them from the AppExchange marketplace. Customers that have been impacted have received direct notification.
The company emphasized that the platform itself is not at blame. Instead, the problem appears to be caused by external connections established by the Gainsight programs.
Ripple Effects Across Other Platforms
As part of an abundance of caution:
- Gainsight pulled its app from the HubSpot Marketplace
- Zendesk connector OAuth access has been revoked temporarily
- Gainsight confirmed no suspicious activity has been observed on HubSpot so far
These steps indicate a broader effort to contain any lateral movement across other SaaS ecosystems.
Who Is Behind the Attack?
Security researchers believe the behavior is linked to the ShinyHunters gang (also known as UNC6240), a well-known threat actor with a track record of large-scale data theft operations.
Austin Larsen, Principal Threat Analyst at Google’s Threat Intelligence Group (GTIG), classified the behavior as part of a “emerging campaign” targeting Gainsight-published apps that are linked to Salesforce, specifically through compromised third-party OAuth tokens.
This follows a similar attack strategy seen in August, when the same group targeted Salesloft Drift interfaces to obtain unauthorized access to SaaS infrastructures.
According to DataBreaches.net, ShinyHunters claimed responsibility and stated that the combined Salesloft + Gainsight campaigns gave them access to data from approximately 1,000 firms.
A Complicated Timeline
Interestingly, Gainsight already revealed that they were affected by the prior Salesloft Drift event.
It is unknown whether data acquired in the first assault was used to pivot into the current one, such as via capturing API keys, integration metadata, or OAuth tokens associated with client accounts.
During the earlier attack, the adversaries accessed:
- Names and business email addresses
- Phone and regional/location details
- Product licensing information
- Support case metadata (excluding attachments)
This type of internal business knowledge can be incredibly useful in further phishing, credential harvesting, and API-based assaults.
Why OAuth Tokens Are an Emerging Attack Vector
Modern SaaS platforms rely heavily on OAuth for secure, delegated access. However, OAuth tokens often become:
- long-lived
- stored improperly
- shared across multiple systems
This makes them appealing to threat actors because they no longer need to hack into a user’s account to compromise the token.
As Larsen pointed out, criminals are increasingly targeting trusted SaaS-to-SaaS interfaces, which security teams sometimes overlook.
What Organizations Should Do Now
Given the active exploitation, organizations using Salesforce or integrated Gainsight, Zendesk, or HubSpot connectors should:
1. Review All Connected Apps: Check the “Connected Apps” section in Salesforce (or your equivalent SaaS platform) and verify only legitimate integrations are in use.
2. Revoke Unused or Suspicious OAuth Tokens: If an integration hasn’t been used recently, revoke its tokens immediately.
3. Rotate API Keys, Secrets, and OAuth Credentials: Treat this incident as a potential credential exposure and rotate all sensitive keys.
4. Monitor Access Logs for Anomalies: Look for unusual IP addresses, API calls outside typical business hours, or access from regions your users don’t operate in.
5. Implement SaaS Security Posture Management (SSPM): Tools that monitor OAuth scopes, third-party access, and token behavior help detect early warning signs.
Conclusion
This event highlights an increasingly common reality: SaaS security fails not only due to platform vulnerabilities, but also at the integration layer.
Third-party applications, OAuth tokens, and cross-platform connections are now popular targets for attackers looking to gain scalable access to company data.
With ShinyHunters claiming responsibility and almost 1,000 firms reportedly hit by connected efforts, careful monitoring of SaaS connectors is more important than ever.