Executive Summary

On November 20–21, 2025, Salesforce disclosed a significant security incident involving unauthorized data access through Gainsight-published applications integrated with the Salesforce platform. The incident was not the result of a vulnerability in the Salesforce platform itself, but rather stemmed from the compromise and abuse of OAuth tokens issued to trusted third-party integrations. Attackers, attributed to the ShinyHunters (UNC6240) group, leveraged these tokens to access customer data via the applications’ API connections. In response, Salesforce revoked all active access and refresh tokens associated with the affected Gainsight applications and temporarily removed them from the AppExchange. The incident highlights the growing risk posed by third-party SaaS integrations and the persistent threat of OAuth token abuse. Organizations using Salesforce and similar SaaS platforms are advised to review all connected applications, revoke unnecessary or suspicious tokens, and enhance monitoring of OAuth activity. The evidence for these findings is drawn from direct statements by Salesforce, Gainsight, and independent threat intelligence sources, with all claims supported by primary sources (The Hacker News, 2025-11-21; Valence Security, 2025-11-21; The Register, 2025-11-20).

Technical Information

The incident centers on the abuse of OAuth tokens issued to Gainsight-published applications connected to Salesforce. OAuth tokens are authentication artifacts that allow third-party applications to access resources on behalf of users, often with broad and persistent permissions. In this case, attackers obtained OAuth tokens associated with Gainsight apps, enabling them to access customer data through the Salesforce API. There is no evidence that the attackers exploited a vulnerability in the Salesforce platform or in the Gainsight applications themselves. Instead, the attack leveraged the trust and permissions granted to these third-party integrations.

Upon detection of unusual OAuth activity, Salesforce revoked all active access and refresh tokens for the affected Gainsight applications and removed them from the AppExchange. Gainsight also disabled API access for the implicated applications while investigations continued. The incident did not involve the deployment of malware or the exploitation of software vulnerabilities; rather, it was an abuse of legitimate access mechanisms.

The attack is attributed to the ShinyHunters (UNC6240) group, which has a history of targeting SaaS environments by compromising OAuth tokens. This group previously conducted a similar campaign against Salesloft Drift instances in August 2025, using stolen OAuth tokens to access both Salesforce and Google Workspace environments. In both cases, the attackers exploited the persistent and often unmonitored nature of OAuth tokens, which can bypass multi-factor authentication (MFA) and provide extensive access to sensitive data.

The technical attack chain can be mapped to several MITRE ATT&CK techniques. The initial access was achieved through the compromise of OAuth tokens (T1078: Valid Accounts, T1529: Steal or Forge Authentication Certificates). Persistence was maintained via long-lived tokens that are rarely rotated. Privilege escalation and defense evasion were accomplished by abusing the trusted permissions of third-party applications, allowing malicious activity to blend in with normal API operations. Data collection and exfiltration were performed through legitimate API calls using the compromised tokens (T1530: Data from Cloud Storage Object).

The attackers accessed business contact details, email addresses, phone numbers, regional and location information, product licensing data, and support case contents (excluding attachments). The scope of the breach is significant, with over 200 Salesforce instances confirmed affected and up to 1,000 organizations potentially impacted across both the Salesloft and Gainsight campaigns.

The incident underscores the risks associated with third-party SaaS integrations and the need for robust monitoring and management of OAuth tokens. OAuth tokens are attractive targets for attackers because they often carry broad permissions, are approved by business users who may not fully understand the security implications, and generate activity that is difficult to distinguish from legitimate operations. The combination of trust, scope, and low visibility makes OAuth tokens a reliable vector for data theft and lateral movement within SaaS environments.

There is no evidence that the attackers made malicious modifications inside customer Salesforce environments or that a vulnerability in the Salesforce platform was exploited. The attack was limited to unauthorized data access via compromised OAuth tokens.

Affected Versions & Timeline

The incident was publicly disclosed on November 20–21, 2025, with Salesforce and Gainsight both issuing advisories and taking immediate action to mitigate the threat. The affected applications are Gainsight-published apps connected to Salesforce via OAuth. All active access and refresh tokens for these applications were revoked by Salesforce upon detection of the suspicious activity. The applications were also temporarily removed from the AppExchange, and API access was disabled by Gainsight.

The timeline of the incident is as follows: On November 20, 2025, Salesforce detected unusual OAuth activity involving Gainsight applications and initiated token revocation and app removal (The Register, 2025-11-20). On November 21, 2025, further details were published by Salesforce, Gainsight, and independent security researchers, confirming the nature and scope of the incident (The Hacker News, 2025-11-21; Valence Security, 2025-11-21).

The incident is part of a broader pattern of OAuth-focused attacks targeting SaaS integrations, with similar campaigns observed in August 2025 against Salesloft Drift and other platforms.

Threat Activity

The threat activity in this incident is characterized by the compromise and abuse of OAuth tokens issued to Gainsight-published applications integrated with Salesforce. The attackers, attributed to the ShinyHunters (UNC6240) group, used these tokens to access customer data via the Salesforce API. The activity was detected as unusual OAuth behavior, prompting immediate response actions by Salesforce and Gainsight.

The attackers did not exploit a vulnerability in the Salesforce platform or the Gainsight applications. Instead, they took advantage of the persistent and often unmonitored nature of OAuth tokens, which can provide broad access to sensitive data without triggering traditional security controls. The attack mirrors previous campaigns by ShinyHunters, including the Salesloft Drift incident, where stolen OAuth tokens were used to access multiple SaaS environments.

The data accessed by the attackers included business contact details, email addresses, phone numbers, regional and location information, product licensing data, and support case contents. There is no evidence that the attackers made malicious modifications to customer environments or deployed malware. The attack was limited to unauthorized data access via legitimate API calls using compromised OAuth tokens.

The incident highlights the increasing focus of threat actors on third-party SaaS integrations and the abuse of OAuth tokens as a means of bypassing traditional identity and access controls. The attackers targeted organizations across multiple sectors, with a particular focus on enterprises using Salesforce and Gainsight integrations. Over 200 Salesforce instances were confirmed affected, with up to 1,000 organizations potentially impacted across related campaigns.

Mitigation & Workarounds

Organizations using Salesforce and third-party integrations such as Gainsight should take immediate steps to mitigate the risk of OAuth token abuse. The following actions are recommended, prioritized by severity:

Critical: Review all third-party applications connected to Salesforce and immediately revoke tokens for any unused, suspicious, or unrecognized applications. This action is essential to prevent further unauthorized access using compromised tokens (The Hacker News, 2025-11-21; Valence Security, 2025-11-21; The Register, 2025-11-20).

High: Rotate all OAuth tokens and credentials associated with third-party integrations on a regular basis. Ensure that any tokens issued prior to the incident are replaced, and implement a policy for periodic token rotation to reduce the risk of long-term abuse.

High: Monitor Salesforce OAuth events and API activity for signs of anomalous behavior. Establish alerting for unusual access patterns, such as large data exports or access from unexpected locations.

Medium: Remove unnecessary integrations and validate that all remaining third-party applications have been approved by appropriate business owners. Limit the scope of permissions granted to integrations to the minimum necessary for business operations.

Medium: Ensure that security tools and processes are capable of identifying shadow SaaS applications and unmanaged integrations. Regularly audit the list of connected applications and review their access permissions.

Low: Educate business users about the risks associated with approving third-party integrations and the importance of following security best practices when granting OAuth access.

These mitigation steps are based on direct recommendations from Salesforce, Gainsight, and independent security researchers, and are aligned with best practices for managing OAuth security in SaaS environments.

References

The Hacker News, 2025-11-21: https://thehackernews.com/2025/11/salesforce-flags-unauthorized-data.html

Valence Security, 2025-11-21: https://www.valencesecurity.com/resources/blogs/salesforce-gainsight-oauth-incident

The Register, 2025-11-20: https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, monitor, and manage risks associated with external vendors and SaaS integrations. Our platform enables continuous visibility into connected applications, supports the detection of unauthorized access, and assists in the enforcement of security policies for third-party integrations. For questions or further information, please contact us at ops@rescana.com.