Cloud-software giant Salesforce has announced that it is investigating unauthorised activity involving applications published by vendor Gainsight, which may have enabled access to customer data through the Salesforce platform. The firm said it revoked all active access and refresh tokens related to the Gainsight apps and temporarily removed those applications from its marketplace. It emphasised this incident does not stem from a vulnerability in the Salesforce core platform.

Google's Threat Intelligence team reported that more than 200 Salesforce customer instances may have been affected in the breach, which is being attributed to the hacking collective known as Scattered LAPSUS$ Hunters. The group claims that the hacker intrusion leveraged OAuth-token compromises tied to the Gainsight plug-in.

Gainsight, which offers customer-success and service platforms used by large enterprises, confirmed that it is working with Salesforce and forensic firm Mandiant to investigate the incident, though it provided limited detail on the scope of data accessed or number of impacted customers.

Industry analysts say the breach marks a shift in cyber-attack strategies away from targeting core platforms and toward exploiting trusted third-party integrations with elevated permissions. As Jaime Blasco, co-founder of Nudge Security, observed:“This is the new attack surface.”

The attack path reportedly followed a similar pattern to an earlier campaign in August that targeted another integration provider, Salesloft's Drift plug-in for Salesforce. That campaign was traced to the same hacker coalition and involved compromised OAuth tokens to extract data across Salesforce-connected systems.

While Salesforce has not released a full list of affected customers, there are signs that some large technology firms conducted internal investigations, with at least one confirming that its Salesforce instance was not impacted. The company urged all customers to review their list of connected apps, revoke unused or suspicious tokens, and rotate credentials where appropriate.

For enterprises relying heavily on interconnected cloud environments, the breach highlights several emerging risk vectors: firstly, SaaS ecosystems are only as secure as their least-controlled integration; secondly, OAuth and API tokens have become high-value targets because they provide a gateway into high-privilege systems without exploiting platform vulnerabilities; and thirdly, threat actors are increasingly pooling forces and capabilities, as represented by the Scattered LAPSUS$ Hunters cohort.

Security leaders now face the challenge of inventorying all third-party applications, enforcing least-privilege access, segmenting cloud applications, renewing credentials, and monitoring suspicious connector behaviour. Given the complexity of modern enterprise software stacks, few organisations are fully prepared for this type of supply-chain-style intrusion.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN22112025000152002308ID1110382084