Salesforce alerts users to potential data exposure via Gainsight OAuth apps – Against Invaders

Salesforce alerts users to potential data exposure via Gainsight OAuth apps - Against Invaders

Salesforce alerts users to potential data exposure via Gainsight OAuth apps

Salesforce warns that unusual activity in Gainsight-linked OAuth apps may have enabled unauthorized access to some customers’ Salesforce data.

Salesforce warned of unusual activity involving Gainsight-linked OAuth apps, noting that threat actors may have used these integrations to gain unauthorized access to some customers’ Salesforce data.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” reads the notification published by the company.

The company revoked all Gainsight app tokens and pulled the apps from AppExchange after detecting suspicious external activity. Salesforce confirmed that no platform flaw was found. The activity is tied to the app’s external connection to Salesforce.

“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” continues the notification. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”

The company notifies affected customers, users needing support can contact Salesforce Help.

According to Google GTIG, the new campaign is linked to ShinyHunters, the same group that hit Salesloft Drift in August. DataBreaches.Net reported that ShinyHunters has claimed both waves and they stole data from nearly 1,000 organizations.

“Given Salesforce’s history of being targeted by ShinyHunters and its collective associates, DataBreaches reached out to ask ShinyHunters if the Gainsight campaign was their doing.”Unfortunately, yes,” their spokesperson responded, clarifying that the “Unfortunately” was as in “it’s unfortunate that this is probably the 3rd of 4th large-scale campaign against Salesforce by the same group again.” reported DataBreaches.Net. ““The next DLS will contain the data of the Salesloft and GainSight campaigns,” they stated, “which is, in total, almost 1000 organisations.”

According to the spokesperson, they plan to launch another dedicated leak site if Salesforce does not comply with them.”

Gainsight also fell victim in the earlier Salesloft attack, though its connection to the new incident remains unclear.

Gainsight said it was among the Salesloft Drift customers hit in the earlier breach, but it’s still unclear whether that incident connects to the current one. In that previous attack, hackers accessed business contact data tied to Salesforce content, including names, work emails, phone numbers, location details, licensing information, and support case text (but no attachments).

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,Gainsight)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.