Gainsight OAuth Attack: What Salesforce Users Must Do Now
Salesforce issued a security advisory today regarding unusual activity involving Gainsight-published applications. If your organization uses or has ever used Gainsight's Salesforce integration, you need to read this immediately.
What Happened?
Salesforce has detected suspicious activity related to Gainsight apps available on the AppExchange. In response, the company has taken swift action by:
- Revoking all Gainsight access and refresh tokens
- Temporarily removing Gainsight apps from the AppExchange marketplace
While these are important containment measures, this OAuth compromise raises serious concerns about potential data exposure and the possibility of persistent unauthorized access to Salesforce environments.
Are You Affected?
You should assume you're affected if:
- You currently have any Gainsight app connected to your Salesforce org
- You've ever had a Gainsight integration in the past (even if it's no longer active)
- This applies to both production environments and sandboxes
The scope of this breach means that even organizations that previously disconnected Gainsight may have had their data exposed during the period when the integration was active.
Immediate Action Steps
Don't wait for more information. Take these steps right now to protect your organization:
1. Identify and Review the Gainsight Integration User
Locate the integration user account that Gainsight used to access your Salesforce environment. Review its permission sets and profile to understand what data it could access.
2. Audit Recent Activity
Examine login history and API call logs for:
- Unusual access patterns
- Suspicious timing of requests
- Large data exports
- Access from unexpected IP addresses or locations
3. Revoke Access Immediately
Remove Gainsight's access from your Salesforce environment right away. This includes:
- Disconnecting any active integrations
- Removing the connected app authorization
- Deactivating any integration user accounts
4. Rotate Credentials
If any credentials might have been compromised or were shared with the Gainsight integration, rotate them immediately. This includes:
- API keys
- Integration user passwords
- Service account credentials
5. Review All Connected Apps
Don't stop at Gainsight. Use this incident as an opportunity to audit all third-party apps connected to your Salesforce environment. Remove any that are no longer needed or haven't been reviewed recently.
How Reco Can Help
Our platform enables security teams to instantly search for Gainsight (and any other third-party plugin) across your entire SaaS environment. With Reco, you can:
- Quickly identify where Gainsight is deployed and review permissions
- Assess your risk exposure by auditing recent login and API actiivty for unusual patterns or large data exports
- Review all connected apps and third-party apps in your environment, not just Gainsight
- Monitor for similar vulnerabilities across your SaaS stack
The Bigger Picture: Why OAuth Governance Matters
This incident serves as a critical reminder that OAuth governance and connected app visibility aren't just nice-to-haves, they're essential security controls.
Revoking tokens stops new unauthorized access, but it doesn't erase what may have already been accessed or exfiltrated. If an attacker gained access through the compromised OAuth credentials, they could have:
- Downloaded sensitive customer data
- Exported confidential business information
- Created backdoor access methods
- Established persistent access through other means
Key Takeaways
Even if your organization didn't use Gainsight, this breach underscores several critical security principles:
- Visibility is paramount: You can't protect what you can't see. Maintain an up-to-date inventory of all connected apps.
- Regular audits are essential: Periodically review which third-party applications have access to your critical systems and what permissions they hold.
- Assume breach: Plan for compromises by limiting the permissions granted to third-party integrations to only what's absolutely necessary.
- Act quickly: When a breach is announced, speed matters. The faster you respond, the less damage can occur.
- Don't forget historical access: Just because an integration is no longer active doesn't mean it didn't have access when the breach occurred.
What's Next?
Monitor Salesforce's security advisories and Gainsight's official communications for updates on this incident. Document all actions you take in response to this breach. This information may be crucial for compliance reporting and incident response procedures.
Most importantly, use this as a catalyst to strengthen your overall SaaS security posture. The next breach might not come with an advisory, will you be ready to detect and respond to it?
Dr. Tal Shapira
%201.svg)
ABOUT THE AUTHOR
Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from the school of Electrical Engineering at Tel Aviv University, where his research focused on deep learning, computer networks, and cybersecurity. Tal is a graduate of the Talpiot Excellence Program, and a former head of a cybersecurity R&D group within the Israeli Prime Minister's Office. In addition to serving as the CTO, Tal is a member of the AI Controls Security Working Group with the Cloud Security Alliance.
Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from the school of Electrical Engineering at Tel Aviv University, where his research focused on deep learning, computer networks, and cybersecurity. Tal is a graduate of the Talpiot Excellence Program, and a former head of a cybersecurity R&D group within the Israeli Prime Minister's Office. In addition to serving as the CTO, Tal is a member of the AI Controls Security Working Group with the Cloud Security Alliance.
.svg)