Salesforce Cuts Gainsight Links After Suspicious App Activity

Salesforce said it found odd activity tied to Gainsight apps that customers install and run. The company said this behavior may have let bad actors reach some customers’ Salesforce data through the apps’ connections.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.” reads the notification published by the company.

After spotting the activity, Salesforce took quick steps. It revoked all Gainsight app tokens and temporarily removed the related apps from the AppExchange. The firm said it did not find a flaw in the Salesforce platform itself and that the issue seems linked to how the apps connect to Salesforce from outside.

“Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” continues the notification. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.”

Salesforce has contacted customers who may be affected. Users who need help are advised to reach out to Salesforce Help for support.

Security researchers and reporting groups tied the recent campaign to the threat actor known as ShinyHunters. Google’s GTIG and DataBreaches.Net linked the incident to previous attacks that hit other vendors.

ShinyHunters reportedly confirmed responsibility as well. “Unfortunately, yes,” their spokesperson responded, clarifying that the group has targeted Salesforce multiple times. They also said the group plans to publish more stolen data and claimed a large haul across several campaigns. “The next DLS will contain the data of the Salesloft and GainSight campaigns,” they stated, “which is, in total, almost 1000 organisations.”