How the Gainsight Breach Exposed a Growing SaaS Supply Chain Threat

Developing Story Notice: This is an evolving security incident. As new indicators of compromise (IOCs), behavioral patterns, or forensic details emerge, this post will be updated to serve as a central resource for defense and remediation.

On November 19, 2025, Salesforce issued a terse security advisory that sent ripples through the enterprise technology world: unusual activity had been detected involving Gainsight-published applications, potentially enabling unauthorized access to customer data. Within hours, Salesforce took the extraordinary step of revoking all active tokens associated with Gainsight apps and temporarily removing them from the AppExchange marketplace.

For the second time in three months, a major Salesforce integration partner has been compromised, and the playbook is familiar.

The attack mirrors the August 2025 Salesloft Drift breach, revealing a disturbing pattern: cybercriminals have discovered a reliable way to bypass traditional security defenses by targeting the digital connectors, OAuth tokens, that link your SaaS applications together. When one trusted partner gets compromised, hundreds of downstream organizations inherit that risk instantly.

According to threat intelligence reports, approximately 285 Salesforce instances may have been accessed through compromised Gainsight credentials. The threat group ShinyHunters has claimed responsibility, boasting that combined with their earlier Salesloft attack, they've gained access to data from nearly 1,000 organizations.

What makes this particularly troubling is this wasn't a software vulnerability. No firewall could have stopped it. No antivirus would have detected it. The attackers used legitimate, valid credentials, they just weren't the legitimate users.

Critically, these attacks have not been targeting Salesforce itself. They've been targeting Salesforce customers, a treasure trove of businesses with high-value data and deep pockets for extortion.

This is the new reality of SaaS security. Attacks happen in the space between your apps, and most security tools can't see them.

Understanding the attack: What happened

The technical mechanics

Salesforce identified this compromise not through a vulnerability in their platform, but by detecting anomalous behavior in the API layer. Specifically, the Salesforce security team observed API calls using the valid Gainsight connected app originating from IP addresses that did not match Gainsight's known, whitelisted infrastructure range. This discrepancy, valid credentials used from an invalid location, triggered the investigation that revealed the token theft.

Attack vector: Threat actors exploited stolen OAuth refresh tokens rather than traditional software vulnerabilities. These tokens function as long-lived digital keys, allowing attackers to impersonate the legitimate Gainsight connected app without requiring user passwords or triggering multi-factor authentication.

The chain of events:

• Precursor: Initial compromise of Drift (acquired by Salesloft) exposed an OAuth token database
• Pivot: Attackers pivoted to compromise Gainsight's OAuth tokens
• Exploitation: Using Gainsight tokens, threat actors accessed Salesforce instances

Potential data at risk:

• Customer names, business email addresses, and phone numbers
• Location and business details
• Plain-text content from Salesforce support cases, often containing sensitive information like passwords, API keys, and proprietary configurations

Immediate response actions

Phase 1: Check if you are impacted

1. Navigate to Salesforce Setup → Apps → Connected Apps → OAuth Usage
2. Look for any Gainsight-related applications
3. Decision Point:
   • If Gainsight is present: Proceed immediately to Phase 2 to investigate potential compromise
   • If Gainsight is NOT present: You are likely not impacted by this specific breach. However, you should still review your environment for other dormant applications or anomalous activity as a proactive security measure

Phase 2: Remediation and containment

If you identified a Gainsight application, take the following steps immediately:

1. Navigate to Setup > Connected Apps OAuth Usage
2. Locate any "Gainsight" related app
3. Action: Click Block
   • Why Block? It prevents the app from authenticating entirely

Phase 3: Forensic analysis and scoping

To understand the impact and scope of the breached Gainsight application in your environment, further investigation is required. The following sections outline the manual process using native Salesforce tools.

Step 1: Identification (LoginHistory query)

Use the LoginHistory object to identify suspicious authentication activity. Run the following SOQL query in the developer console OR download the login history in CSV format from the Login History tab in Setup:

SELECT UserId, SourceIp, Application, Browser, LoginTime
FROM LoginHistory

What to look for:

• Status: Success
• Application: Gainsight or apps published by Gainsight
• UserID: Keep a note of the UserId/Username associated with the Application
• Time: Correlate LoginTime with the known attack window (August 2025 - November 2025)

Policy Verification: To determine if IP restrictions saved you, navigate to Setup → Manage Connected Apps → Gainsight. Click Edit Policies and check the IP Relaxation field. If it is set to "Relax IP restrictions," the app ignores your org's trusted IP ranges, leaving you vulnerable to access from any IP.

Step 2: Scope assessment (retrieving EventLog files)

Requirement: Salesforce Shield add-on or Event Monitoring subscription

If you identified a successful login in Step 1, you must determine what data was accessed.

Method A: Standard EventLogFile (Manual Download)

You cannot view the contents of these logs directly via SOQL. You must query the file metadata, download the binary blob, and decode it.

SELECT Id, CreatedDate, CreatedById
FROM EventLogFile
WHERE LogDate >= 2025-08-01T00:00:00Z
AND EventType IN ('Api', 'RestApi', 'ReportExport')
ORDER BY LogDate DESC

Execution steps:

1. Run the Query: Use Workbench or a script (Python/Postman)
2. Download: For every result, download the file body: /services/data/v60.0/sobjects/EventLogFile/{ID}/LogFile
3. Decode: The result is a Base64 encoded CSV

Method B: Real-time event monitoring (direct query)

Alternatively, if your organization has real-time event monitoring enabled with storage, you can avoid the complex download/decode process. You can query the ApiEvent and ReportEvent objects directly to see record-level details in a structured format.

Step 3: Impact analysis

Once you have the CSVs loaded into your tool of choice, look for specific events based on the following filters:

A. API and RestApi events

• Filter by USER_ID: Match this to the UserId found in the LoginHistory step
• Critical Field: ROWS_PROCESSED: A sync might normally grab 50-500 rows. A spike (e.g., 10,000+ rows) indicates bulk exfiltration
• Critical Field: QUERIED_ENTITIES: Identifies objects touched (e.g., Case, Contact)
• Critical Field: Query: Check the exact query that was run
• Critical Field: CLIENT_IP: Verify for anomalous patterns

B. ReportExport events

• Critical Field: URI / Name: Shows the specific report accessed
• Critical Field: ROW_COUNT: High row counts indicate a "database dump" style export
• Critical Field: COLUMN_HEADERS: Reveals exactly which fields (e.g., "Contact.Email", "Account.Revenue") were included in the exfiltrated report

Challenges with manual approach:

While the steps above are effective, they present significant operational challenges:

• High Complexity: Requires manual execution of scripts to download and parse Base64 CSV blobs, a time-consuming process that often adds to the overhead.
• Retention Gaps: Event log files are often retained for 30 days. If the breach occurred 45 days ago, crucial evidence of data exfiltration may already be lost.
• Correlation Difficulty: The LoginHistory object does not contain a SessionId field. This forces analysts to rely on manual correlation using IP addresses and timestamps (UserId + Application + SourceIp + LogDate) to attempt to link logins to subsequent API activity, which is time-consuming and error-prone in high-traffic environments.
• Noise vs. Signal: Distinguishing between a legitimate high-volume sync and a malicious exfiltration event requires establishing a statistical baseline that is difficult to derive manually.

Accelerating defense with Vorlon

Vorlon addresses the limitations of manual forensics by providing an automated security layer that continuously monitors the SaaS and AI ecosystem.

Automated ingestion and correlation

Vorlon automatically ingests and parses Salesforce logs (LoginHistory, EventLogFile, and Real-Time Events) and intelligently correlates the fragmented logs from various sources. This eliminates the complex manual process of downloading Base64-encoded CSV blobs and joining disparate datasets. This can take days and often results in missed connections.

Threat detection

Vorlon's built-in alert engine automatically detects anomalous behavior patterns that indicate potential compromise:

• Login attempts from previously unseen IP addresses
• Identities generating reports with abnormally high record counts
• Unusual data access patterns or timing deviations

Streamlined threat hunting

Vorlon makes finding the "needle in the haystack" straightforward. Security teams can quickly:

• View all activities by specific applications (like Gainsight) grouped by query type
• Identify all actions from suspicious IP addresses
• Track behavioral patterns across multiple timeframes
• Search for specific indicators without complex SOQL queries

Proactive risk mitigation

Vorlon helps prevent future compromises by surfacing latent risks:

• Policy gaps: Identifies connected apps that have "relax IP restrictions" enabled, highlighting high-risk integrations that bypass your perimeter controls
• Dormant apps: Detects apps that have been inactive for long periods but retain high-privilege scopes (e.g., refresh_token, full), allowing you to remove unused attack surfaces before they can be exploited

One-click remediation

In the event of a confirmed compromise, Vorlon enables security teams to revoke OAuth tokens or block applications and users directly from the Vorlon UI. This immediate response capability dramatically reduces Mean Time to Response (MTTR), containing breaches before significant data exfiltration occurs.

This attack pattern will continue

The Gainsight breach isn't an isolated incident. It's a blueprint. Here's why this attack pattern is so effective and why security teams should expect more:

OAuth tokens are the new crown jewels.In the SaaS era, these long-lived credentials provide persistent, high-privileged access to sensitive data across multiple organizations. Compromise one integration provider, and you inherit access to hundreds of downstream customers simultaneously.

Third-party risk is concentrated risk.When organizations connect trusted apps like Gainsight to their Salesforce environments, they're extending their security perimeter to include that vendor's security posture. Most organizations have limited visibility into what these integrations are actually doing once connected.

Traditional defenses don't apply.Firewalls, endpoint protection, and network monitoring are designed to stop unauthorized access. But when attackers are using valid, legitimate credentials, they appear authorized. The attack happens at the identity layer, where most organizations have limited detection capabilities.

The attack surface is growing exponentially.The average enterprise now uses 473 SaaS applications, many interconnected through OAuth tokens and APIs. Each integration represents a potential attack path. As AI agents and copilots become more prevalent, the number of non-human identities with access to sensitive data will only increase.

The economics favor attackers. ShinyHunters claims their SaaS supply chain attacks have generated more revenue than established ransomware groups. When a single compromised integration can expose hundreds of organizations, the return on investment for attackers is substantial.

What security teams must do now

The Gainsight-Salesforce incident demands a fundamental shift in how organizations approach SaaS security:

1. Assume breach in your integration layer. Don't wait for a vendor notification. Proactively audit all connected apps, review their permissions, and establish behavioral baselines for what normal activity looks like.

2. Implement continuous monitoring for non-human identities. OAuth tokens, service accounts, and API keys need the same level of scrutiny as human user accounts. Anomalous behavior from these identities should trigger immediate investigation.

3. Enforce the principle of least privilege. Review every connected app's permissions. If an integration doesn't need full access to all objects, restrict it. If IP restrictions can be enforced without breaking functionality, enforce them.

4. Reduce your attack surface. Identify dormant or unused integrations and remove them. Every connected app with valid tokens is a potential entry point.

5. Establish detection and response capabilities. Manual log analysis is too slow. Organizations need automated systems that can detect anomalous API activity, correlate events across multiple data sources, and enable rapid response when threats are identified.

6. Prepare for the next incident. This attack pattern is proven and repeatable. Security teams should develop playbooks specifically for OAuth supply chain compromises, including how to quickly identify affected integrations, assess scope, and contain the breach.

Looking ahead: Beyond the Gainsight breach

The Gainsight-Salesforce breach illustrates a harsh reality. In the SaaS ecosystem, your security is only as strong as your weakest integration. Traditional defenses cannot protect against attackers who hold valid credentials to your most sensitive systems. Organizations that continue to treat third-party integrations as "set it and forget it" connections are accepting unacceptable risk.

While manual investigation using Salesforce native logs is possible, it is often hampered by retention limits and data complexity. Organizations must assume a posture of continuous assessment by verifying connected apps, enforcing strict IP policies, and leveraging automated detection platforms to secure the identity perimeter effectively.

The question is no longer whether your organization will face an OAuth supply chain attack. The question is whether you'll detect it in time to prevent significant data loss.

Need help securing your SaaS and AI ecosystem?

If you're concerned about OAuth token exploitation or want to understand your exposure to third-party integration risks, get an Instant Preview of how Vorlon can help. Our two-minute guided tour shows you how to control the third-party apps and AI tools that house and move your most sensitive data.

See how Vorlon provides:

• Ecosystem-wide visibility: Track how sensitive data moves between SaaS apps, AI agents, identities, and connected services
• Behavioral monitoring: Detect unusual data sharing, off-hours access, privilege escalation, and active attacks like stolen OAuth tokens
• Coordinated action: Revoke access, route fixes to app owners, or trigger automations in your SIEM, SOAR, ITSM, and IdPs

Have questions about your SaaS and AI security? Vorlon is here to help. Contact us to discuss your specific security challenges.