Notifications
Clear all
Topic starter
06/06/2026 1:57 am
TL;DR: A third-party OAuth incident tied to Gainsight-published Salesforce apps shows how stolen refresh tokens can let attackers act with legitimate access across customer environments, according to Oasis Security. The lesson is that connected-app trust, token lifetime, and vendor offboarding are now core identity controls, not SaaS integration details.
NHIMG editorial — based on content published by Oasis Security covering the Gainsight-Salesforce OAuth incident: The Gainsight - Salesforce OAuth Incident: What Happened and What to Do Next
By the numbers:
- More than 200 Salesforce instances may have been impacted by the compromised tokens.
Questions worth separating out
Q: What breaks when a third-party OAuth refresh token is stolen?
A: A stolen refresh token can keep generating valid access tokens until it is revoked or expires, which means the attacker can keep acting as the approved integration rather than as a noisy intruder.
Q: Why do delegated SaaS integrations complicate identity governance?
A: They complicate governance because the access is often granted by business users or vendor workflows, yet the blast radius reaches production data and privileged APIs.
Q: How do security teams know if a connected app is overprivileged?
A: Look for apps that can reach more objects, environments, or actions than their business function requires, especially if they use admin users or broad OAuth scopes.
Practitioner guidance
- Inventory every connected app and delegated OAuth grant Create a live register of which vendor apps can reach which Salesforce objects, scopes, and environments.
- Reduce refresh-token exposure wherever functionality allows Review whether each integration truly requires refresh tokens or whether short-lived access and reauthentication can satisfy the use case.
- Rebuild Salesforce integrations around a single integration identity Replace user-spread approvals with one dedicated least-privileged integration account per use case.
What's in the full analysis
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for reauthorising the Salesforce connected app safely after token revocation.
- Published indicators of compromise, including the IP addresses and user-agent strings tied to the incident.
- Detailed remediation guidance for developers and admins deciding whether refresh tokens are actually required.
- Practical checks for identifying stale OAuth grants, inactive integration users, and overbroad permissions.
👉 Read Oasis Security's analysis of the Gainsight-Salesforce OAuth incident →
Gainsight-Salesforce OAuth incident: what IAM teams need to change?
Explore further
06/06/2026 3:20 am
Refresh-token trust debt is the core failure mode this incident exposes. The problem was not a broken Salesforce platform but a delegated access model that allowed long-lived tokens to persist after upstream credentials were compromised. That is what makes the blast radius so difficult to contain: the token remains valid even when the original security assumption has already failed. Practitioners should treat every refresh token as accumulated trust that eventually has to be paid down.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a vendor OAuth grant is abused?
A: Accountability usually sits with the customer for granting and monitoring access, and with the vendor for how its own credentials, tokens, and apps are protected. The practical control point is shared visibility, because neither side can manage the blast radius alone once delegated access exists.
👉 Read our full editorial: Gainsight-Salesforce OAuth incident exposes refresh-token trust gaps
