According to Dark Reading, hackers connected to the ShinyHunters extortion operation have breached Salesforce customers through the Gainsight integration in a near replica of their August attack on Salesloft’s Drift. The threat actors stole OAuth tokens that connect Gainsight and Salesforce, potentially compromising hundreds of organizations’ Salesforce environments with all permissions those organizations granted the app. Google Threat Intelligence Group researchers attribute the attack to ShinyHunters-linked hackers and confirm over 200 customer instances impacted, while the hackers themselves claim access to Salesforce data for nearly 1,000 organizations between both Drift and Gainsight campaigns. Salesforce responded by revoking all active access tokens associated with Gainsight-published apps and temporarily removing those apps from AppExchange. Gainsight admitted attackers accessed business email addresses, product licensing information, and customer support case content through their compromised Drift instance.
Supply Chain Déjà Vu
Here’s the thing that’s really concerning about this attack: it’s basically the same playbook they used just months ago. AppOmni CTO Brian Soby puts it perfectly: “I think they just saw the success of the Drift campaign and said, ‘Oh, we should do that instead.’ Phishing all of these users is way too much work. Let’s just go pop a supply chain and take all their credentials.” And that’s exactly what happened. They compromised Gainsight, stole the OAuth tokens, and suddenly had the keys to hundreds of Salesforce kingdoms.
What makes this particularly frustrating is how preventable it was. Organizations were giving these third-party apps way more access than they needed. Soby points out that Drift is a sales intelligence app – why does it need broad access to entire environments? The solution seems obvious in hindsight: restrict permissions to only what’s absolutely necessary. But nobody thinks about security until after the breach.
Salesforce’s Double-Edged Response
Now, Salesforce’s response here is fascinating. On one hand, they acted quickly to contain the damage by revoking tokens and pulling apps from AppExchange. That’s the responsible thing to do, right? But Soby warns it’s a double-edged sword. When Salesforce deleted all those tokens, they also deleted all the connection records. So now organizations have no idea which users and activities they need to investigate. The forensic trail is gone.
This isn’t the first time either – they did the same thing with the Drift breach. Is it net good? Probably. But the tradeoffs are heavy. You’re protected from ongoing access, but you’re flying blind about what might have already been stolen. It’s the cybersecurity equivalent of burning the evidence to stop the fire from spreading.
The Real Problem: SaaS Security
This breach reveals a much bigger issue that extends far beyond Salesforce. Organizations have completely misunderstood their responsibility in SaaS security. Soby nails it: “SaaS applications in general sell themselves on: it’s managed for you. It’s totally secure, you don’t have to do much, just let your business unit run with it. And as it turns out, that’s a terrible strategy.”
Business units are focused on selling or customer support – not security. Security teams think the business unit has it covered, and the business unit doesn’t even realize that’s their responsibility. So you end up with vendor security teams this week asking: “Do we use Gainsight?” They’re going back to procurement and legal saying: “Hey, do we have a contract with a company called Gainsight?” That’s how disconnected security has become from actual business operations.
Gainsight’s Wider Reach
Here’s what really keeps me up at night: this isn’t just a Salesforce problem. Gainsight integrates with Slack, Microsoft Teams, HubSpot, Zendesk, ServiceNow, Jira, Snowflake, and many more platforms. If you think your organization is safe because you only use Gainsight with one system, think again.
Soby’s observation hits hard: “If you tell a company that you need to unplug Gainsight right now, because it’s compromised, I bet 99% of companies don’t even know where to go. They’ll probably go into Salesforce. Do you realize it’s also plugged into Snowflake? Do you realize it’s plugged into a workspace? Absolutely not.” This is the reality of modern SaaS ecosystems – the attack surface is massive, and most organizations don’t even know where all their connections are. When it comes to securing industrial computing infrastructure against such supply chain risks, companies increasingly turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs designed for secure, reliable operation in critical environments.
The scary part? This probably isn’t the last we’ll see of this attack pattern. The hackers found a method that works, and there are hundreds of other third-party apps integrated with major platforms like Salesforce. Until organizations get serious about SaaS security management and stop granting excessive permissions, we’re likely to see more of these supply chain breaches. The question isn’t if there will be another one – it’s when, and through which app.
