Salesforce cuts off access to third-party app after discovering ‘unusual activity’

Steven

Salesforce cuts off access to third-party app after discovering ‘unusual activity’

Summary

Salesforce warned customers it detected “unusual activity” tied to third-party app Gainsight that may have allowed unauthorised access to some customers’ Salesforce data. Salesforce revoked active access and refresh tokens for Gainsight-published applications, temporarily removed those apps from the AppExchange and launched an investigation. Gainsight is co-operating and has also pulled its app from HubSpot as a precaution.

The alleged attackers later claimed responsibility, saying they used Gainsight access to steal data from 284 organisations. The group has been linked to known cybercriminal operations such as Scattered Spider and ShinyHunter; law enforcement has previously disrupted related extortion activity.

Key Points

  • Salesforce detected “unusual activity” involving the Gainsight app that may have enabled unauthorised access to customer data.
  • Salesforce revoked all active access and refresh tokens for Gainsight-published apps and temporarily removed them from the AppExchange.
  • Gainsight is co-operating with Salesforce and has pulled its HubSpot listing as a precaution; no suspicious HubSpot activity reported so far.
  • Attackers claimed responsibility and said data from 284 organisations was stolen; they are allegedly linked to Scattered Spider and ShinyHunter operations.
  • Salesforce says there is no indication of a vulnerability in the Salesforce platform itself — the issue appears related to the external app connection.
  • The incident echoes previous supply‑chain style breaches where third‑party integrations were abused to exfiltrate data.

Content Summary

On discovery of the suspicious activity, Salesforce moved quickly to cut off the app’s tokens and remove Gainsight-published applications from its marketplace while it investigates. Gainsight published status updates confirming co-operation with Salesforce and precautionary removal from HubSpot. The attackers publicly claimed they used Gainsight access to steal information and lost access after the takedown; earlier related criminal campaigns have targeted multiple industries and prompted law enforcement action.

Context and Relevance

This is a timely reminder that third‑party integrations are a major attack vector for cloud platforms. Even without a platform vulnerability, compromised vendor connections can expose customer data across many tenants. Organisations running Salesforce should treat connected apps as high‑risk assets: review app permissions, rotate tokens/credentials, audit integration logs and ensure least privilege is enforced. Regulators and incident responders will also be watching — breaches that affect many customers can trigger notification and compliance requirements.

Why should I read this?

Short version: if you run Salesforce (or manage vendor integrations), this matters. Someone could be using a trusted app to reach into your instance — quick checks now (revoke unused tokens, check connected apps, monitor logs) could save you a headache later. We skimmed the details so you don’t have to — go look if you handle security or ops.

Source

Source: https://therecord.media/salesforce-cuts-off-access-to-third-party-unusual-activity