Salesforce is currently investigating a potential security breach that may have compromised customer data through applications published by the software company Gainsight. The company issued a security advisory on Wednesday, highlighting that the connection between Gainsight’s applications and Salesforce may have enabled unauthorized access to sensitive customer information.
In a proactive measure, Salesforce has revoked all active and refresh tokens associated with the Gainsight applications linked to its platform and has temporarily removed these applications from its AppExchange marketplace to safeguard customer data.
Concerns around the breach have been underscored by researchers from the Google Threat Intelligence Group (GTIG), who noted that hackers associated with the group known as ShinyHunters have been targeting OAuth tokens of third-party Software as a Service (SaaS) integrations, which could lead to unauthorized access to Salesforce customer instances. Austin Larsen, a principal threat analyst at GTIG, emphasized that this is part of a broader trend in which adversaries are focusing on compromising these tokens.
This current threat campaign follows similar tactics seen previously, such as the security issues related to Salesloft Drift, where a multitude of organizations fell victim to credential harvesting attacks.
Salesforce and Mandiant, the incident response arm of GTIG, are actively notifying companies that may have been affected, with more than 200 instances identified so far as potentially impacted. Gainsight acknowledged the situation in a customer support update, stating they are cooperating with Salesforce to investigate the underlying issues that prompted the token revocation.
According to Salesforce, there is no evidence to suggest that the issues were caused by a vulnerability in their platform, clarifying that the concern stems specifically from the external connection of the Gainsight application to Salesforce.
As part of the response to this incident, GTIG has advised security teams to conduct thorough audits of their SaaS environments and to review OAuth tokens, particularly for any unrecognized or suspicious applications. Immediate action, including the rotation of credentials, is recommended if any irregular activities are detected.
Salesforce plans to provide further updates on the investigation and guidance for customers via its Trust site, working to ensure that the security of its client’s data remains a top priority.