Salesforce confirmed unauthorized access to customer data via a **Gainsight-managed package**, a third-party SaaS connector integrated through OAuth. The breach exploited Gainsight’s compromised credentials, allowing attackers (claimed by **ShinyHunters**) to extract data from Salesforce instances without directly hacking Salesforce’s core infrastructure. The incident mirrors a prior **Salesloft supply-chain attack**, where attackers leveraged connected apps to pivot into victims’ Salesforce environments. While Salesforce denied platform vulnerabilities, the breach highlights risks of **token theft, over-permissive OAuth scopes, and third-party app sprawl**. The hackers threatened **double extortion**, hinting at stolen data from *hundreds of organizations*, though the exact scale and data types (e.g., customer PII, corporate records) remain unverified. Gainsight’s status page acknowledged a *Salesforce connection issue* but avoided labeling it a breach. The attack vector—**compromised vendor tokens accessing Salesforce APIs**—underscores systemic risks in SaaS supply chains, where long-lived tokens and broad permissions enable lateral movement. Customers were urged to **rotate OAuth tokens, audit app permissions, and monitor logs** for anomalous exports. The incident reinforces warnings from **CISA** about cloud-to-cloud compromises via third-party integrations, with potential fallout including **reputational damage, regulatory scrutiny, and customer churn** if sensitive data was exposed.
Source: https://www.findarticles.com/salesforce-says-customer-data-was-accessed-following-gainsight-breach/
Datorama, a Salesforce Company cybersecurity rating report: https://www.rankiteo.com/company/datorama
"id": "DAT1804218112125",
"linkid": "datorama",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Hundreds of organizations '
'(claimed by ShinyHunters, '
'unverified)',
'industry': 'Cloud Computing / CRM',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Large Enterprise',
'type': 'SaaS Provider'},
{'industry': 'Software',
'location': 'San Francisco, California, USA',
'name': 'Gainsight',
'size': 'Mid-to-Large Enterprise',
'type': 'Customer Success Platform'},
{'industry': 'Software',
'location': 'Atlanta, Georgia, USA',
'name': 'Salesloft',
'size': 'Mid-to-Large Enterprise',
'type': 'Sales Engagement Platform'},
{'industry': 'Insurance',
'location': 'USA',
'name': 'Allianz Life',
'size': 'Large Enterprise',
'type': 'Financial Services'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Bugcrowd',
'size': 'Mid-to-Large Enterprise',
'type': 'Cybersecurity'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Cloudflare',
'size': 'Large Enterprise',
'type': 'Web Infrastructure'},
{'industry': 'Internet Services',
'location': 'USA',
'name': 'Google',
'size': 'Large Enterprise',
'type': 'Technology'},
{'industry': 'Retail',
'location': 'France',
'name': 'Kering',
'size': 'Large Enterprise',
'type': 'Luxury Goods'},
{'industry': 'Technology',
'location': 'USA',
'name': 'Proofpoint',
'size': 'Large Enterprise',
'type': 'Cybersecurity'},
{'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large Enterprise',
'type': 'Airline'},
{'industry': 'Manufacturing',
'location': 'Netherlands/USA',
'name': 'Stellantis (formerly Fiat Chrysler)',
'size': 'Large Enterprise',
'type': 'Automotive'},
{'industry': 'Financial Services',
'location': 'USA',
'name': 'TransUnion',
'size': 'Large Enterprise',
'type': 'Credit Reporting'},
{'industry': 'Software',
'location': 'USA',
'name': 'Workday',
'size': 'Large Enterprise',
'type': 'Enterprise Cloud Applications'}],
'attack_vector': ['OAuth Token Exploitation',
'Third-Party Connector (Gainsight Managed Package)',
'Cloud-to-Cloud Compromise'],
'customer_advisories': ['Check inventory of Gainsight-related apps',
'Verify app scopes and installed users',
'Rotate OAuth tokens and client secrets'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Potential (if PII '
'was included in '
'exposed data)'],
'sensitivity_of_data': ['Moderate to High (depends on exposed '
'fields)'],
'type_of_data_compromised': ['Account Data',
'Contact Data',
'Opportunity Data',
'Usage Data',
'Potentially Sensitive '
'Metadata']},
'description': 'Salesforce investigated an incident where unauthorized access '
"to some customers’ data occurred through a Gainsight 'managed "
"package,' a third-party connector. The breach was attributed "
'to the exploitation of OAuth tokens linked to '
'Gainsight-published applications, rather than a vulnerability '
'in Salesforce’s core platform. The hacking group ShinyHunters '
'claimed responsibility, threatening to leak stolen data if '
'negotiations failed. The incident highlights risks associated '
'with third-party SaaS connectors and OAuth token misuse in '
'cloud environments.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Salesforce/Gainsight Security',
'Negative Publicity'],
'data_compromised': ['Account Data',
'Contact Data',
'Opportunity Data',
'Usage Data',
'Potentially Sensitive Metadata'],
'identity_theft_risk': ['Possible (if PII was exposed)'],
'operational_impact': ['Potential Disruption to Customer Success '
'Workflows',
'Need for Token Rotation and App '
'Reauthorization'],
'systems_affected': ['Salesforce Instances (via Gainsight '
'Connected Apps)',
'Gainsight Managed Package']},
'initial_access_broker': {'data_sold_on_dark_web': ['Threatened by '
'ShinyHunters '
'(double-extortion '
'technique)'],
'entry_point': ['Compromised Gainsight Environment '
'or Token Store',
'Exploited OAuth Tokens for '
'Gainsight Managed Package'],
'high_value_targets': ['Salesforce Customer Data '
'(Accounts, Contacts, '
'Opportunities)']},
'investigation_status': 'Ongoing (Salesforce and Gainsight investigating; '
'extent of access and data exposure unclear)',
'lessons_learned': ['Third-party SaaS connectors can serve as attack vectors '
'even if the core platform is secure.',
'OAuth token sprawl and overbroad permissions increase '
'risk in multi-tenant cloud environments.',
'Token theft and cloud-to-cloud compromise are '
'significant threats, as warned by CISA.',
'Strict scoping, short-lived tokens, and ongoing '
'monitoring are critical countermeasures.',
'Recertification of connected apps and centralized token '
'management are essential for security.'],
'motivation': ['Data Theft',
'Extortion (Double-Extortion Technique)',
'Financial Gain'],
'post_incident_analysis': {'corrective_actions': ['Enforce least-privilege '
'access and token scoping',
'Implement short-lived '
'tokens and regular '
'rotation',
'Enhance logging and '
'monitoring for connected '
'apps',
'Centralize token '
'management with vaulting '
'solutions',
'Conduct recertification of '
'all connected apps',
'Limit data export '
'capabilities for '
'integrations'],
'root_causes': ['Overbroad OAuth token permissions '
'for third-party apps',
'Long-lived tokens without '
'rotation',
'Insufficient monitoring of '
'connected app activity',
'Token sprawl in multi-tenant '
'cloud environments']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Audit and inventory all third-party connected apps, '
'especially those with broad permissions.',
'Enforce least-privilege access and short-lived tokens '
'for OAuth integrations.',
'Implement conditional access policies and DLP controls '
'for SaaS connectors.',
'Monitor Event Monitoring (EM) logs and API logs for '
'abnormal activity.',
'Disable or limit unused integrations to reduce the '
'attack surface.',
'Coordinate with vendors (e.g., Gainsight) for indicators '
'of compromise and remediation steps.',
'Engage legal, insurance, and law enforcement '
'stakeholders if sensitive data is exposed.',
'Educate teams on risks associated with SaaS supply chain '
'attacks and token hygiene.'],
'references': [{'source': 'Salesforce Customer Notice'},
{'source': 'Gainsight Public Status Page'},
{'source': 'DataBreaches.net (ShinyHunters Claim)'},
{'source': 'CISA Warnings on Token Theft'},
{'source': 'Verizon Data Breach Investigations Report'},
{'source': 'IBM Cost of a Data Breach Study'}],
'response': {'communication_strategy': ['Customer Advisories from '
'Salesforce/Gainsight',
'Public Status Page Updates'],
'containment_measures': ['Invalidate and Rotate OAuth '
'Tokens/Client Secrets',
'Enforce Reconsent for Affected Apps',
'Turn Off/Uninstall Unused Integrations',
'Limit Data Export Scope'],
'enhanced_monitoring': ['Ongoing Monitoring of OAuth Token Usage',
'API Log Analysis'],
'incident_response_plan_activated': True,
'recovery_measures': ['Reauthorize Integrations '
'Post-Remediation'],
'remediation_measures': ['Tighten Connected App Policies (IP '
'Restrictions, Re-Authentication, Least '
'Privilege)',
'Analyze Event Monitoring (EM) Logs and '
'API Logs for Anomalies',
'Centralized Token Vaulting '
'(Recommended)',
'Conditional Access Policies '
'(Recommended)',
'DLP Controls in CASB/SSPM Tools '
'(Recommended)'],
'third_party_assistance': ['Coordination with Gainsight',
'Legal Counsel',
'Insurers']},
'stakeholder_advisories': ['Monitor updates from Salesforce and Gainsight',
'Prepare for potential reauthorization of '
'integrations'],
'threat_actor': ['ShinyHunters',
'Scattered Lapsus$ Hunters (historically linked)'],
'title': 'Unauthorized Access to Salesforce Customer Data via Gainsight '
'Managed Package',
'type': ['Data Breach', 'Unauthorized Access', 'Supply Chain Attack'],
'vulnerability_exploited': ['Overbroad OAuth Token Permissions',
'Long-Lived Tokens',
'Token Sprawl']}