The security threat involves unauthorized access to Salesforce customer data through OAuth tokens linked to Gainsight-published applications integrated with the Salesforce platform. Salesforce detected unusual activity indicative of a compromise of these OAuth tokens, which are used to authorize third-party applications to access Salesforce data on behalf of users. The investigation revealed that this activity likely enabled threat actors to access sensitive customer data without direct exploitation of Salesforce platform vulnerabilities. Instead, the attack leveraged the trust relationship established by OAuth tokens granted to Gainsight applications. In response, Salesforce revoked all active access and refresh tokens associated with these apps and temporarily removed the Gainsight applications from its AppExchange marketplace to prevent further unauthorized access. Gainsight also proactively removed its app from the HubSpot Marketplace to mitigate potential risks. The threat actors behind this campaign have been linked to the ShinyHunters group (UNC6240), known for targeting SaaS integrations and previously conducting similar attacks against Salesloft Drift instances. The attackers reportedly stole data from nearly 1000 organizations, including business contact details, product licensing information, and support case contents. This incident underscores the growing trend of adversaries targeting OAuth tokens as a vector to bypass traditional security controls and gain unauthorized access to cloud-based SaaS environments. The attack does not require exploiting a software vulnerability in Salesforce itself but abuses the OAuth authorization mechanism and third-party app integrations. Organizations using Salesforce and connected third-party applications are urged to audit their OAuth token usage, revoke tokens for unused or suspicious apps, and rotate credentials where anomalies are detected to mitigate the risk of unauthorized data exposure.

For European organizations, this threat poses significant risks to the confidentiality and integrity of sensitive business data stored within Salesforce environments. Unauthorized access via compromised OAuth tokens can lead to exposure of customer contact information, licensing details, and support case data, potentially resulting in reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. The indirect nature of the attack—exploiting trusted third-party integrations rather than platform vulnerabilities—makes detection and prevention more challenging. Organizations relying heavily on Salesforce and Gainsight integrations may face operational disruptions due to revoked tokens and temporary app removals. Additionally, the incident highlights the risk of supply chain attacks through SaaS ecosystems, which are prevalent in Europe’s digital infrastructure. The involvement of a known threat actor group with a history of targeting SaaS platforms increases the likelihood of targeted campaigns against high-value European enterprises, especially those in sectors with stringent data protection requirements such as finance, healthcare, and telecommunications.

European organizations should implement a multi-layered approach to mitigate this threat: 1) Conduct a comprehensive audit of all third-party applications connected to Salesforce, focusing on OAuth token usage and permissions granted. 2) Immediately revoke access and refresh tokens for any unused, suspicious, or high-risk applications, particularly those published by Gainsight or similar vendors. 3) Enforce strict least-privilege principles for OAuth scopes granted to third-party apps to minimize data exposure. 4) Implement continuous monitoring and anomaly detection for OAuth token usage patterns to identify unusual access behaviors promptly. 5) Rotate credentials and secrets associated with integrations regularly and after any suspicious activity. 6) Engage in vendor risk management by requiring third-party SaaS providers to demonstrate robust security controls around OAuth token management. 7) Educate security and IT teams on the risks of OAuth token abuse and best practices for securing SaaS integrations. 8) Leverage Salesforce’s security features such as Event Monitoring and Identity Verification to enhance visibility and control over connected applications. 9) Prepare incident response plans specifically addressing OAuth token compromise scenarios to enable rapid containment and remediation. 10) Collaborate with Salesforce and Gainsight support channels for timely updates and guidance during ongoing investigations.