top of page
Buscar

A Supply-Chain Breach Spreads Through Salesforce

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 1 día
  • 3 Min. de lectura
ree

A coordinated supply-chain intrusion has exposed how a single third-party integration can cascade across interconnected SaaS environments. ShinyHunters breached Gainsight applications connected to Salesforce by reusing credentials stolen in the Salesloft attack and abusing compromised OAuth tokens, enabling unauthorized access to customer data through the integration layer. Salesforce revoked all affected tokens, removed the Gainsight apps from the AppExchange, and confirmed that the core platform itself was not vulnerable. Gainsight disabled API access, initiated a forensic investigation with Mandiant, and acknowledged disruption to any functionality dependent on Salesforce data synchronisation. Meanwhile, ShinyHunters claim data tied to nearly 1,000 organisations, threaten extortion, and assert that access extended to approximately 285 Salesforce customer systems, although Salesforce has only confirmed three affected so far.


Phase 1: Initial Access via Reused Credentials


The operation began when attackers reused credentials previously stolen in the Salesloft breach, where Gainsight was also a victim. These credentials enabled access to Gainsight systems and the OAuth tokens that linked its applications to Salesforce. Because OAuth tokens function as trusted digital keys, the attackers were able to bypass standard authentication controls, inherit pre-approved permissions, and pivot through the trusted integration pathway. This reflects a recurring pattern in SaaS intrusions: access gained in one platform becomes a foothold into another due to interconnected identity and token trust chains.


Phase 2: Token Abuse and Unauthorized API Activity


Once inside, ShinyHunters abused the OAuth tokens to initiate API calls from non-whitelisted IP ranges. These calls exposed business contact details, licensing information, and other customer data accessible through Gainsight’s integration scope. Salesforce detected anomalous activity and responded by revoking all active tokens tied to Gainsight apps and removing them from the AppExchange. Gainsight confirmed that any capability requiring read/write interaction with Salesforce was disrupted, including Connector sync, Rules, Data Designer, Cockpit, Reports, Timeline, and Renewal Center, while native in-app workflows continued functioning.


Phase 3: Supply-Chain Expansion and Extortion Pressure


ShinyHunters claim the breach affected nearly 1,000 organisations, naming F5, GitLab, Verizon, LinkedIn, DocuSign, Atlassian, SonicWall, Malwarebytes, and Thomson Reuters among others, and allege that stolen secrets enabled access to roughly 285 additional Salesforce environments. Salesforce, however, maintains that only three customers are confirmed impacted to date. The attackers are attempting to leverage these claims to extort victims and pressure Salesforce, threatening to publish a new leak site containing data from both the Gainsight and Salesloft campaigns. Gainsight further revoked access to its Zendesk connector and temporarily removed its application from the HubSpot Marketplace while investigation continues.


Phase 4: Investigation, Containment, and Complications


Gainsight brought in Mandiant to conduct an independent forensic review and has stated that API access will not be restored until all security layers are validated. Customers have been advised to identify all locations where Gainsight integrations existed, revoke associated tokens, and assess whether any connections were abused. Industry analysis highlights a complicating factor: because Salesforce deleted the tokens, customers now lack the token-level records needed to determine which users granted OAuth access, complicating forensic timelines. Experts note that this breach closely mirrors the earlier Drift attack and demonstrates that many organisations did not adopt the supply-chain security lessons that incident exposed.


Measures to Fend Off the Breach


  • Revoke and reissue all OAuth tokens associated with Gainsight integrations.

  • Identify every system where Gainsight integrations were enabled and audit for abused connections.

  • Monitor logs for unauthorized API activity, token misuse, and non-whitelisted access paths.

  • Restrict third-party SaaS permissions to least privilege and enforce IP allow-listing.

  • Block typosquatted and malicious CDN domains linked to the campaign.

  • Validate integrity of external and third-party JavaScript dependencies.

  • Harden browsers to prevent fake-update delivery chains used in watering-hole attacks.

  • Limit DLL side-loading and execution of cloud-hosted encrypted archives.


  • Deploy EDR/XDR capable of detecting AES-encrypted payload retrieval, fingerprinting scripts, and DLL hijacking behavior.p


The Gainsight–Salesforce breach underscores a critical truth: SaaS security failures increasingly emerge not from platform vulnerabilities, but from interconnected applications, token trust relationships, and third-party integrations. ShinyHunters successfully weaponised previously stolen credentials, reused them across platforms, abused OAuth tokens to bypass authentication, and leveraged supply-chain pathways to widen impact. The incident reveals the fragility of SaaS ecosystems where identity, access, and APIs bind systems together more tightly than most organisations realise. Resilience now depends on full visibility into integrations, strict governance of tokens and permissions, continuous monitoring of cross-platform access paths, and a recognition that SaaS supply-chain security is no longer optional, but foundational to enterprise risk management.



Hack Read


 
 
 
bottom of page