In a troubling development for cloud security, threat actors tied to ShinyHunters claim they have accessed sensitive Salesforce data from more than 200 organizations, by exploiting a third-party integration with Gainsight. This incident underscores the rising danger posed by supply-chain attacks on SaaS ecosystems.
What Happened
- According to Google’s Threat Intelligence team, malicious actors gained access to Salesforce instances by abusing OAuth tokens tied to Gainsight-published applications.
- Salesforce, upon detecting “unusual activity,” revoked all active access tokens for those Gainsight-connected apps to contain the breach.
- Salesforce is clear that the root problem was not a vulnerability in its core platform, but in the external connection between Gainsight and its customers’ Salesforce instances.
- ShinyHunters (part of a broader threat collective known as Scattered Lapsus$ Hunters) claim to have accessed around 285 additional Salesforce instances via Gainsight.
- The data allegedly accessed includes business contact details (names, business emails, phone numbers), location information, license-related records, and support-case data.
- This breach appears tied to a previous incident involving Salesloft Drift, where OAuth tokens were stolen.
- Both Salesforce and Gainsight are investigating. Gainsight has brought in a third party (Mandiant) for forensic analysis.
Why It Matters
- Supply-Chain Risk Is Real
This isn’t a typical software bug exploit attackers leveraged trust between cloud services. Rather than attacking Salesforce itself, they compromised the integration. - OAuth Tokens as a New Target
Instead of going after credentials or exploiting platforms, threat actors are focusing on API tokens and permission scopes. - Potentially Massive Impact
With over 200 companies affected (and claims of up to nearly 1,000), the scale of this operation could have severe reputational, financial, and compliance-related consequences. - Credential Hygiene Is Key
The breach highlights how stale or overprivileged OAuth tokens present a major security risk. - Rapid Response Required
Organizations using Gainsight (or similar third-party connectors) must immediately audit OAuth integrations, revoke unused tokens, and monitor for any anomalous API activity.
What Organizations Should Do
To reduce risk and prevent further damage, organizations should:
- Revoke or rotate OAuth tokens for all Gainsight-connected apps, especially those that are inactive or no longer needed.
- Review OAuth scopes: limit permissions to only what is strictly necessary (for example, enforce read-only where possible).
- Implement continuous monitoring of third-party integrations track API usage, token refresh events, and anomalous behavior.
- Conduct a detailed audit of all connected SaaS applications within Salesforce and other critical systems.
- Prepare incident response plans for cloud integrations, including tabletop drills for supply-chain token compromise.
- Work with security partners to perform threat hunting, looking specifically for signs of data exfiltration via OAuth abuse.
Conclusion
The ShinyHunters breach via Gainsight is a wake-up call: integrations between SaaS platforms are now a prime target for sophisticated attackers. It’s no longer enough to only secure your core systems you must also secure the “glue” that binds your SaaS ecosystem together. Businesses must proactively manage OAuth risk, enforce strict permissions, and stay vigilant against token-based attacks.
About COE Security
At COE Security, we help organizations in finance, healthcare, technology, cloud-based services, and enterprise SaaS defend against modern threats and comply with regulatory requirements. We provide:
- OAuth risk assessments and secure configuration reviews
- Third-party integration audits and token lifecycle management
- Continuous monitoring and threat hunting for anomalous API activity
- Compliance support for frameworks like ISO 27001, SOC 2, GDPR, HIPAA, and PCI DSS
- Incident response planning, including supply-chain breach simulations
With COE Security as your partner, you can secure your cloud environment without slowing down innovation.