Blog Article

The Gainsight-Salesforce Breach: Lessons in Third-Party Integration Security

How a supply chain attack through Gainsight compromised 200+ Salesforce organizations, and what you can do to protect your environment.

November 25, 20255 min read
SalesforceSecuritySupply ChainOAuthThird-Party Risk

In November 2025, a breach through Gainsight's Salesforce integration exposed data from over 200 organizations. This incident highlights why third-party integration security deserves the same rigor as your core platform.

What happened

On November 19, 2025, Salesforce detected unusual API activity originating from Gainsight-published applications. Investigation revealed that threat actors had gained unauthorized access to customer data through compromised OAuth tokens associated with Gainsight integrations.

The breach timeline:

  • October 23, 2025 — Initial reconnaissance activity detected from IP address 3.239.45.43
  • November 8, 2025 — Active unauthorized access began across multiple Salesforce instances
  • November 19, 2025 — Salesforce issued a security advisory and revoked all Gainsight-related tokens
  • November 21, 2025 — Gainsight expanded the impacted customer list; Google disclosed over 200 potentially affected organizations

The threat actor group ShinyHunters (also known as Scattered Lapsus$ Hunters) claimed responsibility. This group has a history of targeting SaaS platforms and has been linked to the ShinySp1d3r ransomware-as-a-service operation.

How the attack worked

This was a supply chain attack. Rather than targeting Salesforce or individual organizations directly, the attackers compromised Gainsight, a customer success platform with deep Salesforce integration. The breach cascaded from an earlier compromise of Salesloft Drift.

The attack chain:

  1. Attackers compromised Salesloft Drift
  2. Gainsight, as a Salesloft Drift customer, had its credentials exposed
  3. Compromised Gainsight access tokens enabled unauthorized Salesforce API calls
  4. Attackers used a specific user agent string (Salesforce-Multi-Org-Fetcher/1.0) previously seen in the Salesloft Drift incident

Technical indicators identified in the investigation included:

  • IP addresses linked to UNC6040, a financially motivated threat cluster
  • Tor exit nodes and commodity VPN infrastructure
  • Malware families including SmokeLoader, Stealc, DCRat, and Vidar

The response

Salesforce and the broader ecosystem moved quickly:

  • Salesforce revoked all active access and refresh tokens for Gainsight applications and temporarily removed Gainsight from the AppExchange
  • Zendesk, Gong.io, and HubSpot preemptively suspended their Gainsight integrations
  • Google disabled OAuth clients with gainsightcloud callback URIs
  • Affected customers were advised to rotate S3 bucket keys, reset passwords, and reauthorize integrations

Salesforce emphasized that the vulnerability was not in the Salesforce platform itself, but in the compromised SaaS-to-SaaS integration.

Protecting your Salesforce environment

This breach reinforces that your security posture is only as strong as your weakest connected application. Here are concrete steps to reduce third-party integration risk.

1) Audit connected applications regularly

Review all OAuth-connected applications in your Salesforce org:

Setup → Apps → Connected Apps OAuth Usage

For each connected app, verify:

  • Business justification still exists
  • Permissions align with least privilege
  • The vendor maintains active security practices
  • Token refresh policies are appropriate

Remove unused or unnecessary connections.

2) Implement IP allowlisting for integrations

Where possible, restrict API access to known IP ranges. For critical integrations, configure:

  • Login IP Ranges for integration users
  • Named Credentials with specific endpoint restrictions
  • Network policies that limit OAuth token usage

3) Monitor for anomalous API activity

Set up alerts for unusual patterns:

  • API calls from unexpected IP addresses or geographies
  • Spikes in data export volumes
  • Access outside normal business hours
  • Requests using uncommon user agent strings

Consider tools like Salesforce Shield Event Monitoring or a third-party SIEM integration.

4) Apply least privilege to integration users

Integration users should have:

  • Dedicated profiles with minimal permissions
  • Only the specific objects and fields required
  • No access to sensitive data unless explicitly needed
  • Regular permission reviews
// Example: Restrict integration user to specific objects
// Create a dedicated Permission Set with only required access
// Never use System Administrator for integrations

5) Establish a third-party security assessment process

Before approving any new Salesforce integration:

  • Review the vendor's security certifications (SOC 2, ISO 27001)
  • Understand their incident response process
  • Verify they have dedicated security personnel
  • Check for recent security incidents or breaches
  • Review the data access scope requested

6) Prepare for integration compromise

Have a runbook ready for when (not if) a connected application is compromised:

  • Token revocation procedures — Know how to quickly revoke OAuth tokens
  • Audit log preservation — Ensure logs are retained and accessible
  • Communication templates — Pre-draft notifications for stakeholders
  • Recovery steps — Document how to safely reauthorize after remediation

7) Segment sensitive data

Limit integration access to sensitive records:

  • Use Sharing Rules to restrict what integration users can see
  • Consider separate orgs or sandboxes for highly sensitive data
  • Implement field-level security even for internal integrations

Indicators of compromise

If you used Gainsight integrations, review your logs for these indicators:

IP addresses (check against your API logs):

  • 3.239.45.43 (initial reconnaissance)
  • Additional IPs published in Salesforce and Gainsight advisories

User agent strings:

  • Salesforce-Multi-Org-Fetcher/1.0

Affected Gainsight products:

  • Customer Success (CS)
  • Community (CC)
  • Northpass - Customer Education (CE)
  • Skilljar (SJ)

Key takeaways

  1. Supply chain attacks are increasingly common — Attackers target vendors with broad customer access rather than individual organizations.

  2. OAuth tokens are high-value targets — A single compromised token can provide extensive data access. Treat token security as seriously as password security.

  3. Integration sprawl increases risk — Every connected application is a potential entry point. Maintain an accurate inventory and review it regularly.

  4. Vendor security is your security — Your security posture includes every third party with access to your data. Assess vendors accordingly.

  5. Rapid response matters — Salesforce's quick token revocation limited the blast radius. Have similar capabilities ready for your own response.

Additional resources

The Gainsight incident is a reminder that modern enterprise environments extend far beyond your own infrastructure. Securing your Salesforce org means securing the entire ecosystem of connected applications.