Salesforce revokes Gainsight application tokens after data theft campaign targeting customer Instances
Learn More
Salesforce has revoked all active access and refresh tokens associated with Gainsight-published applications after detecting unusual activity that indicated unauthorized access to customer data.
Salesforce temporarily removed Gainsight applications from the AppExchange marketplace on November 19, 2025, as investigations continue into what appears to be a supply chain attack using stolen OAuth credentials. This incident is another wave of data theft attacks targeting Salesforce customers through compromised third-party integrations.
The attack on Gainsight-published applications is caused by the previous security breach involving Salesloft Drift, a marketing software-as-a-service platform used for automating sales workflows and managing customer leads.
In August 2025, attackers successfully stole OAuth tokens connected to Salesloft Drift's integration with Salesforce, which subsequently enabled them to pivot and compromise additional third-party applications including those published by Gainsight. The ShinyHunters cybercrime collective claim they gained access to approximately 285 Salesforce instances through the Gainsight breach, using secrets and credentials stolen during the earlier Salesloft Drift campaign.
Salesforce has directly notified all affected customers and advised organizations requiring assistance to contact Salesforce Help through their support portal. The company worked with both Salesloft and Gainsight to invalidate compromised access tokens and implement protective measures.
By late August 2025, Salesforce and Salesloft had revoked all active access and refresh tokens associated with the Drift application. Similar actions were taken for Gainsight applications in November. Gainsight confirmed that as soon as they learned of the incident, they immediately disconnected the Salesloft application from their Salesforce environment and verified that the breach was isolated to their CRM platform without impacting their core products or services.
Organizations using third-party applications integrated with Salesforce are urged to audit all connected applications, review API logs for unusual data exports, rotate integration tokens and credentials, and searching for exposed secrets within integrated platforms.
Update - as of 27th of November, Gainsight reports that the security breach has impacted more customers than initially reported, but the company's but the Gainsight CEO, Chuck Ganapathi, said "we presently know of only a handful of customers who had their data affected". The cybercrime group ShinyHunters has claimed responsibility for the breach.
