Salesforce warned of detected ‘unusual activity’ involving applications published by Gainsight that were connected to its platform, and said the activity may have enabled unauthorized access to some customers’ Salesforce data, the company said.
The vendor said it has revoked all active access and refresh tokens associated with Gainsight-published applications and has temporarily removed those applications from the AppExchange while the investigation continues. Salesforce added there is no indication the issue resulted from a vulnerability in the Salesforce platform, and it has notified affected customers though it did not disclose how many were impacted.
Gainsight said the app has been temporarily pulled from the HubSpot Marketplace and that the review may affect OAuth access for customer connections; it also said no suspicious activity related to HubSpot has been observed to date.
A Google Threat Intelligence Group analyst described the activity as an emerging campaign and said it targets Gainsight-published applications connected to Salesforce, posting observations on LinkedIn where he pointed out the pattern. The activity is assessed to be tied to threat actors associated with the ShinyHunters group (UNC6240), mirroring earlier attacks against Salesloft Drift instances; DataBreaches.Net reports the group has confirmed the campaign and claimed to have stolen data from nearly 1,000 organisations.
In an earlier intrusion that targeted Salesloft Drift instances, attackers accessed business contact details including names, business email addresses, phone numbers, regional information, product licensing data and support case contents without attachments. Gainsight previously said it was among the Salesloft Drift customers affected, but it is not yet clear whether that earlier incident played a role in the current activity.
Security advisers urged organisations to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications and rotate credentials where integration anomalies are flagged.