Introduction
Salesforce and Gainsight have disclosed a new OAuth-related security incident that may have exposed customer data through unauthorized token access. The impacted Gainsight apps have been disabled, Salesforce has revoked the tokens, and investigations are ongoing. While early signs suggest that only a subset of organizations are affected, the mechanics of the incident align with a broader trend across the SaaS ecosystem.
Attackers are increasingly targeting OAuth tokens issued to third-party integrations rather than trying to compromise the primary SaaS platforms themselves. These access paths are powerful, persistent, and often unmonitored, which makes them an ideal entry point into business-critical systems like Salesforce.
This post breaks down what is known today, why this pattern keeps recurring, and what security teams should be doing right now.
What Salesforce and Gainsight Have Reported
Salesforce detected unusual OAuth activity involving two Gainsight applications. Some customers may have had OAuth tokens accessed without authorization. As a precaution, Salesforce revoked the affected tokens and notified impacted customers. There is currently no evidence of a Salesforce platform vulnerability.
Gainsight confirmed the unauthorized activity and disabled API access for the affected applications while investigations continue. They are working with Salesforce to determine the full scope of impact.
The working picture includes:
• Unauthorized access involving OAuth tokens associated with Gainsight apps
• Token revocation by Salesforce
• API activity paused for the implicated apps
• No evidence of malicious modifications inside customer Salesforce environments
• No indication of a Salesforce platform flaw
This incident is focused on OAuth access, not on a Salesforce product vulnerability.
Security teams should take the following immediate actions:
• Review any Gainsight OAuth grants and connected apps
• Investigate the history of Gainsight access since Salesforce may have revoked their tokens
• Track publications about the incident to hunt for potential indicators of compromise
Why OAuth Tokens Continue to Be High-Value Targets
OAuth tokens remain one of the most abused access vectors across modern SaaS environments for several reasons:
• They bypass MFA
• They frequently carry broad read and write permissions
• They can persist for long periods without rotation
• They are approved by business users who may not understand the security implications
• They generate activity that often blends into the noise of normal API operations
The combination of trust, scope, and low visibility makes OAuth tokens a reliable path for threat actors who want to extract data or move laterally across SaaS environments.
A Growing Pattern of OAuth-Focused Attacks
The Salesforce ecosystem has experienced several major OAuth-related incidents over the past few months:
• The Drift and Salesloft incident, where attackers leveraged stolen OAuth tokens to access Salesforce and Google Workspace
• The Google / Salesforce vishing campaign, where attackers obtained OAuth-backed access under trusted identities
The takeaway is consistent. Attackers have learned that it is significantly easier to compromise an integration than the SaaS platform itself.
This incident follows that same pattern.
What Security Teams Should Do
Regardless of how this incident evolves, the recommended response is clear and aligned with best practices for all OAuth incidents.
1. Review connected apps and remove unnecessary integrations
Focus on anything unused, unapproved, or carrying more privilege than needed.
2. Regularly rotate all OAuth tokens and credentials
Do not wait for a vendor advisory. Token rotation is the safest immediate response.
3. Monitor Salesforce OAuth events and API activity
Look for unusual API spikes, data export behavior, new endpoints accessed, or activity occurring outside normal patterns.
4. Confirm business owner approvals for existing and new integrations
Decentralized SaaS adoption increases the likelihood of risky or shadow integrations.
5. Validate that your security tools identify shadow SaaS and unmanaged apps
Many organizations underestimate the number of integrations connected to their SaaS platforms. Visibility is foundational.
How Valence Helps Reduce This Attack Surface
Valence provides deep, continuous visibility into SaaS integrations and identity behavior across your environment, including Salesforce. The comprehensive SaaS security platform provides:
• Powerful discovery of every SaaS app and AI tool across your ecosystem
• Detailed visibility into OAuth scopes, permissions, and access behavior
• Identification of unused, risky, or overly permissive integrations
• Continuous monitoring for suspicious API activity
• Identity-aware analysis for human and non-human access
• Remediation workflows for token rotation, permission reduction, and integration cleanup
Most organizations do not have a complete inventory of the integrations business units connect to Salesforce, Google Workspace, GitHub, or other core systems. Valence helps security teams find these unknown access paths and control the risk before attackers exploit them.
Conclusion
The Salesforce and Gainsight OAuth incident reinforces a shift that is already well underway. Attackers are focusing on the integrations, automations, and cross-SaaS connections that organizations rely on every day. These access paths bypass traditional identity controls and provide extensive visibility into critical business data when misused.
Reducing this risk requires comprehensive visibility into OAuth tokens, connected apps, and the behavior of third-party integrations. Security teams that invest in governing these access paths will be significantly better positioned to prevent or contain incidents like this.
If you want to understand whether similar exposures exist in your environment, schedule a free SaaS Risk Assessment.
.jpg)
