Salesforce has confirmed that a third-party vendor breach involving Gainsight, a customer success platform, may have compromised customer data, marking yet another incident in a series of downstream attacks targeting Salesforce integrations.
In a security advisory issued Wednesday, Salesforce reported detecting unusual activity in Gainsight applications connected to its customer environments. According to Austin Larsen, principal analyst at Google Threat Intelligence Group (GTIG), more than 200 Salesforce instances may have been affected.
Similarities to Previous Salesloft Drift Attack
The Gainsight breach bears a striking resemblance to a prior attack that involved Salesloft Drift, which impacted over 700 Salesforce customers earlier this year. Security researchers suggest both incidents may be linked to the same threat actors, potentially affiliated with the ShinyHunters or UNC6240 groups, which have targeted Salesforce environments in multiple campaigns, including UNC6040.
To mitigate the issue, Salesforce revoked access tokens that allowed customers to connect Gainsight applications to their Salesforce instances. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company stated. Salesforce emphasized that the issue did not originate from a vulnerability within its platform.
Gainsight Responds
Gainsight issued a public alert confirming disruptions to Salesforce connections and said it is actively collaborating with Salesforce to investigate the unusual activity. The company also temporarily removed its app from the HubSpot Marketplace as a precautionary measure, though it reported no suspicious activity linked to HubSpot accounts so far.
The full list of affected customers remains unclear. Gainsight serves approximately 1,000 clients, including major enterprises and tech firms. Given the scope of prior attacks, security experts warn that any connected services could potentially be compromised.
A Recurring Issue
The breach highlights the risks posed by third-party integrations in cloud environments. In the previous Salesloft Drift attack, threat actors reportedly accessed Salesloft’s GitHub repository in March, remaining undetected until mid-August, when they exfiltrated data from hundreds of organizations. Gainsight itself was among the affected customers in that incident.
Gainsight’s internal investigation into the new breach is ongoing, and the company has not disclosed how access tokens may have been compromised. Salesforce said it will provide updates and guidance to affected customers as the situation develops.
The recurring nature of these attacks underscores the importance of robust security measures and monitoring for organizations relying on third-party software integrations.
