The Salesforce-Gainsight Breach: Why Your "Trusted Integrations" Are Now Your Biggest Risk

On November 19, 2025, Salesforce contacted Gainsight about "unusual activity" involving Gainsight-published applications connected to Salesforce environments. Within 48 hours, Salesforce had revoked all Gainsight OAuth and refresh tokens and pulled Gainsight apps from the AppExchange marketplace. By November 23, security firms confirmed the activity was tied to ShinyHunters / UNC6240 — the same crew behind the Salesloft-Drift incident in August. Mandiant's analysis showed the attackers held a snapshot of roughly 285 Salesforce instance tokens that were at least two years old, used for the attack. The lesson is not "Salesforce was breached" or "Gainsight was breached." The lesson is that OAuth tokens are the new password equivalent, and your "trusted integration" graph is now the most under-monitored attack surface in your CRM stack. ## The 60-second answer Attackers obtained Gainsight's OAuth tokens — likely from secrets stolen during the August Salesloft-Drift incident — then used those tokens to read Salesforce data from up to 285 customer instances. Salesforce revoked the tokens and pulled Gainsight from the AppExchange. Indian B2B firms running Salesforce + Gainsight should immediately re-issue the OAuth grant with the minimum scope required, audit every other "trusted" integration with the same lens, and shorten OAuth refresh-token lifetimes everywhere. Three weeks of OAuth hygiene work; ₹0 in tooling cost. ## Why this matters now The pattern is now confirmed: breach a SaaS-integration vendor, steal the OAuth tokens, pivot into hundreds of downstream customer tenants in a single hop. Salesloft-Drift in August. Gainsight in November. Both used by ShinyHunters. The incident response community calls this "supply-chain via OAuth" and it is now the dominant attack pattern against B2B SaaS in 2025–2026. As [The Hacker News reported](https://thehackernews.com/2025/11/salesforce-flags-unauthorized-data.html) on Nov 21, the attackers "saw requests hitting their systems that weren't coming from Gainsight's applications, infrastructure, or their IP addresses, but were using OAuth tokens that had been issued to the Gainsight-Salesforce connector." Translated: the tokens were valid, the requests looked legitimate, and conventional WAF rules saw nothing. ## Who this post is for Indian B2B firms running Salesforce or HubSpot or Microsoft Dynamics with 5+ "trusted" integrations bolted on. Typical setup: Salesforce as the system of record, Gainsight or ChurnZero for customer success, Outreach or Salesloft for sales, Marketo or Pardot for marketing, Slack and Microsoft Teams for collaboration, and a long tail of ZoomInfo, LinkedIn Sales Navigator, Calendly, and 5–8 forgotten "trial" integrations from 2022. If that sounds like your stack, the next sections are the work. ## The OAuth threat model your CRM is in ## The 3 controls every Indian B2B should ship this week ### Control 1: rotate every OAuth token older than 12 months Salesforce, HubSpot, and Dynamics all let you list connected apps and the last-used timestamp. Anything older than 12 months — revoke and re-issue. The Gainsight tokens used in this attack were 2+ years old. If you rotate every 12 months, you cap your exposure window dramatically. For HubSpot: Settings → Integrations → Connected Apps → revoke and re-grant. For Dynamics: Power Platform Admin Center → Resources → Connections. ### Control 2: minimum-scope every integration Most B2B SaaS vendors default to asking for api or full scope on Salesforce because it makes their setup faster. The cost: an attacker who steals that token gets your full Salesforce data. Re-issue every grant with the minimum scope the vendor actually needs. For Gainsight that is Account, Contact, Opportunity, User — not full. For Outreach it is Activity, Contact, Lead, Task. For ZoomInfo it is Account, Contact, Lead (read-only is enough). The Salesforce team has a [scopes reference](https://help.salesforce.com/s/articleView?id=remoteaccess_oauth_tokens_scopes.htm) that lists every available scope. The 30-minute task is mapping each integration to its actual minimum. ### Control 3: alerting on integration-account API call patterns Set up a query that fires when an integration account's API call rate or pattern changes meaningfully. In Salesforce: Event Monitoring (requires Shield licence) or the free [Login History report](https://help.salesforce.com/s/articleView?id=sf.users_login_history.htm). The signal you are looking for: an integration account that normally does 4,000 calls/hour suddenly doing 14,000, or doing calls from new IPs, or pulling from objects it normally does not touch. You will not get this with a default Salesforce setup; you have to build it. For SMBs without Shield licence, the [Salesforce Optimizer](https://help.salesforce.com/s/articleView?id=sf.optimizer_meet.htm) plus a weekly manual review of Login History is a serviceable substitute. ## The full SaaS-integration audit checklist

• Pull a complete OAuth-app inventory from Salesforce, HubSpot, Dynamics, and Microsoft 365
• Tag each app: actively used, occasionally used, forgotten, unknown
• Revoke every "forgotten" or "unknown" app immediately
• Re-issue every "actively used" or "occasionally used" app with minimum scope
• Set OAuth refresh-token lifetime to ≤ 12 months on every connector
• Document the business owner of every integration in a wiki page
• Add an integration-call-pattern alert (spike, new IP, new object access)
• Add the Vendor Risk question to every new integration: what is the worst case if the vendor is compromised?
• Subscribe to the security mailing list of every critical integration vendor
• Tabletop: "Salesloft is breached today, what do we do in the next 60 minutes?"

## A real example: 80-staff Hyderabad B2B SaaS The client runs Salesforce as its system of record with 11 integrations bolted on. We started this exact audit on Nov 21 (two days after the Gainsight news broke). The findings: - 3 forgotten integrations from 2022-2023, all with full scope. Revoked. - 5 active integrations, all with full scope. Re-issued with minimum scope; the Outreach reissue took 2 hours of vendor support to get right. - 2 integrations using personal OAuth grants (a sales rep had granted via her own login). Migrated to a dedicated integration user with explicit scopes. - 1 integration for which nobody knew the business owner. After a week of asking, traced it to a churned employee from 2024. Revoked. Total time: 6 engineering hours plus 4 hours of admin coordination. The CTO's note in our shared doc: "we have been running an attack-surface that we did not even know existed." ## The before / after attack surface ## Common mistakes we see post-incident Symptom: "We disabled all Gainsight integrations." Not necessary. Salesforce has revoked the compromised tokens. A clean re-grant with minimum scope is the right answer. Disabling the integration breaks the customer-success workflow and creates pressure to re-enable with bad hygiene. Symptom: "We are switching off OAuth and using API keys." Worse. API keys are even harder to rotate, even more likely to be hardcoded in scripts, and even less observable. OAuth is the right primitive; the issue is how you operate it. Symptom: "Our auditor said we are SOC 2 compliant on this." SOC 2 Type II tests the existence of a vendor-management process, not the freshness of every OAuth grant. You can be SOC 2 compliant and still have 5 forgotten 2022 OAuth tokens with full scope. Audit your own grants; do not rely on the SOC 2 letter. Symptom: "We are adding a CASB to detect this." A Cloud Access Security Broker (Netskope, Microsoft Defender for Cloud Apps) helps, but only after you have done the basic grant hygiene. Adding a CASB without first rotating tokens is buying a Ferrari to drive on a flooded road. ## The community response The most useful thread we have read is the [Mandiant analysis blog](https://www.mandiant.com/) confirming the token age and ruling out a recent Gainsight infrastructure breach. The [Reco.ai writeup](https://www.reco.ai/blog/gainsight-oauth-attack-what-salesforce-users-must-do-now) and [AppOmni advisory](https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/) both have practical Salesforce-Setup screenshots. On Reddit, [r/cybersecurity](https://www.reddit.com/r/cybersecurity/) has a Gainsight thread that mirrors the technical conclusions in this post. Skip the LinkedIn "thought leader" coverage; it is uniformly content-marketing for whichever vendor the author works for. ## When this work is NOT urgent for you Skip this audit only if (a) you do not run Salesforce, HubSpot, or Microsoft Dynamics — your OAuth surface is smaller and the playbook above does not apply directly; or (b) you have already run a comprehensive integration audit in the last 90 days, with re-grants and scope reduction. For literally everyone else running a CRM with bolted-on tools, this is a one-week project to ship before December. ## Our take The incident is a warning shot for B2B SaaS architecture. The OAuth-as-trust-anchor pattern works fine when the entire chain is hardened. It fails badly when one link — a vendor with millions of customer tokens in a single S3 bucket — is breached. The fix at the platform level (Salesforce, HubSpot) will be shorter token lifetimes by default and finer-grained scopes. The fix at the customer level is what we have written above. The fix at the vendor level is operational discipline that we cannot influence. [Hrishikesh, our CTO](/team/rishikesh-baidya), and [Manvi, our QA + security lead](/team/manvi), led the audit work for the Hyderabad client described above. The same playbook is what we run on every CRM-development engagement. Our [CRM development service](/services/crm-development) now bakes integration-grant hygiene into the standard scope, because the cost of retrofitting it later is meaningfully higher. For more on the supply-chain pattern that connects Salesloft, Gainsight, and likely the next vendor, our founder's writeup on [viveksinra.com](https://viveksinra.com) goes deeper into the threat-modelling angle. ## FAQ ### Was Gainsight itself breached? Mandiant's analysis indicates the OAuth tokens were a historical snapshot — at least two years old — likely obtained during the August Salesloft-Drift incident, then re-used against Salesforce instances connected to Gainsight. There is no evidence of a recent breach of Gainsight's production systems. The tokens were the breach vector, not the company. ### Should we keep using Gainsight? Yes, with re-issued tokens at minimum scope. Gainsight's response — full transparency, public security writeup, infrastructure hardening within weeks — is what you want from a vendor in this situation. The risk model has not changed; only your operating discipline around OAuth has to. ### What about Salesloft and Drift? If you run Salesloft (and especially the Drift integration), you should already have rotated those OAuth grants in August/September. If you did not, do it now — both grants and minimum-scope re-issue. The Salesloft incident playbook is the dress rehearsal for the Gainsight one. ### Does this affect HubSpot users? Indirectly. The same OAuth-as-trust-anchor pattern exists in HubSpot. The same threat model applies. Run the same audit on your HubSpot connected-apps inventory. The "marketplace integration" surface is structurally identical. ### How often should we rotate OAuth tokens? Aim for ≤ 12 months for every integration. Set a calendar task for January, May, and September: review the connected-apps inventory and re-issue anything older than 12 months. The 4-month cadence is what enterprise security teams use; SMBs can run it annually if they document the deviation. ### What is the cost of doing this audit? For a 50-person SMB: 6–10 engineering hours plus 4–6 hours of admin coordination. Tooling cost: ₹0. The Salesforce and HubSpot built-ins are sufficient. Spend on Shield Event Monitoring or a CASB only after you have done the basic grant hygiene. ### Where is the official vendor guidance? Salesforce's [security advisory page](https://status.salesforce.com/) is the canonical source. Gainsight published their own writeup on [how they accelerated security work in weeks](https://www.gainsight.com/blog/how-we-accelerated-a-year-of-security-work-in-weeks/) — worth reading as a vendor-side perspective. CSO Online's [coverage of the OAuth pattern](https://www.csoonline.com/article/4094506/oauth-token-compromise-hits-salesforce-ecosystem-again-gainsight-impacted.html) is the best cross-vendor analysis we have seen.