Salesforce Revokes Access Tokens: Gainsight App Breach May Have Exposed Customer Data
Ddos 
The victim needs to enter a code to connect the threat actor controlled Data Loader | Image: GTIG
Salesforce has issued an urgent security alert after discovering unusual activity involving Gainsight-published applications connected to its platform—an incident that may have exposed certain customers’ Salesforce data. The company has taken decisive containment steps, including revoking all access tokens associated with Gainsight integrations and removing the affected apps from the AppExchange while the investigation continues.
According to the notification, “Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce… [which] may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.”
Upon detecting the suspicious activity, Salesforce moved quickly to sever any active connections.
The alert confirms: “Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange.”
The company emphasized that the incident does not stem from any vulnerability within the Salesforce core platform, clarifying: “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”
While Salesforce notified customers potentially affected by the unauthorized access, Gainsight’s own status updates confirm significant service disruption as their team investigates the connector failures.
Across multiple updates, Gainsight acknowledged that access via Salesforce remains unavailable. The company’s engineering and security teams are working jointly with Salesforce to diagnose the root cause and safely restore operations.
One update notes: “Access to Gainsight via Salesforce remains unavailable at this time.”
Another adds: “Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure while their investigation into unusual activity continues.”
Gainsight stresses that their internal investigation remains active.
The ripple effect extended beyond Salesforce integrations. Gainsight revealed that Salesforce also revoked access for Zendesk connectors “as a precaution,” while HubSpot temporarily delisted the Gainsight app from its marketplace.
Salesforce asserts that only customers using Gainsight-published applications are impacted, and the suspicious activity affects app-to-Salesforce connections, not Salesforce platform vulnerabilities. Gainsight confirms ongoing disruptions specifically for features that rely on synchronous or real-time API interactions.
As one update explains: “This is currently causing disruptions to Gainsight functionalities that rely on synchronous or real-time API interactions with Salesforce.”
Salesforce has directly notified known affected customers and encourages anyone needing assistance to contact their support channels.
Related Posts:
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
- The AI Cold War: Anthropic Revokes OpenAI’s Claude API Access Over Terms of Service Dispute
- Cloudflare Confirms Supply Chain Attack, Customer Support Data Exposed
- SolarWinds Issues Advisory on Salesforce Data Breach Linked to Salesloft Drift
Donate