Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Breac...
Salesloft and Gains...
 
Notifications
Clear all

Salesloft and Gainsight integration breaches: what IAM teams missed

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 8151
Topic starter 25/06/2026 12:04 am  

TL;DR: Salesloft and Gainsight showed how compromised integration tokens and OAuth scopes can bypass MFA, enter Salesforce legitimately, and expose downstream secrets such as Snowflake tokens and cloud keys, according to Hush Security. The real problem is not platform weakness but over-trusted non-human identities whose scopes and persistence outlive the controls built around them.

NHIMG editorial — based on content published by Hush Security covering the Salesloft and Gainsight breaches: What the Salesloft and Gainsight breaches really tell us about NHI risk

Questions worth separating out

Q: What breaks when an integration token is treated as low risk?

A: The access model breaks first.

Q: Why do third-party SaaS integrations increase blast radius?

A: They increase blast radius because one trusted app can reach multiple systems, data stores, and secret locations at once.

Q: How should teams govern OAuth apps with elevated scopes?

A: Treat them as first-class identities with owners, approved scopes, review dates, and revocation paths.

Practitioner guidance

  • Map every integration by scope and downstream reach Build an inventory of all OAuth apps, service accounts, and connected bots that touch Salesforce or similar SaaS platforms.
  • Revoke third-party tokens on a shorter lifecycle Set explicit ownership and expiration for every integration token, then remove anything that still has broad access after the business use case changes.
  • Separate secrets from integration-readable data Remove API keys, cloud access credentials, and other reusable secrets from systems that integrations can inspect unless there is a documented operational need.

What's in the full article

Hush Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • The token and scope chain behind the Salesloft and Gainsight incidents, including how trusted integrations were abused.
  • The downstream secrets and connected systems exposed after the initial access path was established.
  • The vendor's incident-handling context, including revocation actions and app removal decisions.
  • The specific breach timeline and attribution details that practitioners may need for internal reporting.

👉 Read Hush Security's analysis of the Salesloft and Gainsight NHI breaches →

Salesloft and Gainsight integration breaches: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
hush-security non-human-identity oauth-tokens third-party-access privileged-access
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  hush-security (10) , non-human-identity (438) , oauth-tokens (38) , third-party-access (72) , privileged-access (493) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.