Salesforce Probes Data Breach Linked to Gainsight Apps

Salesforce inquiries into the illegal data usage associated with Gainsight applications, which had impacted hundreds of customer accounts across the world.

Salesforce is currently investigating a possible data breach after unusual activities were detected in applications published by Gainsight, which may have exposed sensitive customer data. Salesforce indicated that the connected apps might have allowed unauthorized access to some Salesforce customers' data, and therefore the company has revoked all the active and refresh tokens associated with Salesforce integrations using Gainsight. The applications were also temporarily dropped off the AppExchange marketplace.

Gainsight verified that it has been collaborating with Salesforce to investigate the incident. Initial investigations indicate that the problem was caused by the extraneous links of the applications and not by the vulnerability of the Salesforce platform.

The Google Threat Intelligence Group reports that hackers associated with the ShinyHunters group supposedly used OAuth tokens to steal over 200 Salesforce instances of customers. It comes after a previous effort to attack Salesloft Drift whereby compromised Salesforce environments were created through stolen authentication tokens.

Cybersecurity specialists note that the integration of SaaS platforms is creating a significant attack surface. Although the hackers named several companies, such as CrowdStrike and Docusign, which claimed that they did not find any evidence of a compromise, the investigation process continues.

Salesforce informed the impacted organizations and promised to provide additional information on its Trust site. In the meantime, the Mandiant team at Gainsight and Google are carrying out a forensic investigation to get the extent of the breach.

Security researchers advise organizations to review OAuth tokens and audit integrations with third parties and should also change credentials in case of any suspicious activity.