We’re still learning details about the reported breach involving Gainsight applications connected to Salesforce, but what’s clear already is how familiar this story sounds.
According to Salesforce and industry reporting, attackers appear to have leveraged OAuth tokens from Gainsight integrations to access customer Salesforce data. Salesforce responded by revoking all Gainsight tokens and pulling the apps from AppExchange, emphasizing this wasn’t a Salesforce platform flaw but an exploitation of a trusted connection – the kind every enterprise depends on.
Since initial reports, Gainsight teams have been working with Salesforce to investigate the scope of the unusual activity and the magnitude of this breach.
And later today in messages exchanged with BleepingComputer, threat actor group ShinyHunters claimed they gained access to another 285 Salesforce instances after breaching Gainsight via secrets stolen in the Salesloft-Drift breach.
If this feels like déjà vu, that’s because it is.
The Salesforce/Salesloft/Drift breach earlier this year, tied to groups like Scattered Spider and ShinyHunters, showed how stolen OAuth tokens can be repurposed to quietly move through Salesforce environments. Now, some of those same compromised secrets appear to have fueled this new wave of access.
This is the modern attack surface: attackers don’t have to break in…they just log in, often through sanctioned SaaS apps and integrations. Once authenticated, they blend in perfectly because they aren’t abusing features but simply using the applications as intended.
That’s why securing access isn’t enough. You need visibility and behavioral detection after authentication – to recognize when a legitimate user or machine identity starts acting in ways that don’t fit its typical behavior.
At Reveal Security, we help enterprises detect that kind of anomalous identity behavior across SaaS, custom applications and multi-cloud environments. Think: Salesforce, Gainsight, Workday, Snowflake, and beyond. Because trust isn’t static anymore – it’s behavioral.
We’re monitoring the situation closely, and our head hacker, Matt Mullins, will share more insights as the investigation unfolds.
For more on how identity misuse and SaaS integrations are reshaping enterprise risk, see our recent posts on:
- Workday breach analysis
- Salesforce exposure patterns
- Snowflake OAuth lessons
- UPenn SaaS breach parallels
And for more recommended reading, here’s a great post in a new 3-part blog series by industry analyst and identity security expert Simon Moffatt: Security Starts When Authentication Ends: Analysing Application Activity.
To learn more, explore the Reveal Platform here.
