Gainsight and Salesforce OAuth Incident: Lessons in Credential Security and Mitigation

Read full article here: https://www.oasis.security/blog/gainsight-salesforce-oauth-incident/?utm_source=nhimg

In late November 2025, Salesforce detected unusual activity linked to Gainsight’s AppExchange applications, prompting an urgent response. The incident is not a Salesforce platform vulnerability, but rather an abuse of trusted third-party OAuth access. Attackers exploited compromised credentials from Gainsight, gaining access to OAuth refresh tokens, which provide long-lived API access to Salesforce environments.

Why This Matters

Gainsight is a critical Customer Success Platform, widely integrated with Salesforce to manage customer data, track health scores, and drive cross-team insights. The compromise of OAuth refresh tokens allowed attackers to access sensitive Salesforce data directly, with the potential to extract credentials and confidential records.

How It Happened

• Gainsight had previously been impacted by the “Salesloft Drift” hacking campaign, which exposed internal credentials.
• Using those credentials, attackers obtained OAuth refresh tokens for Gainsight–Salesforce integrations.
• Unlike short-lived access tokens, refresh tokens can generate new access tokens over weeks or months, making them extremely sensitive.
• Salesforce responded by revoking all active access and refresh tokens and notifying affected customers.

Immediate Actions for Organizations

1. Limit refresh-token usage: Only request them if functionally necessary; review vendor permissions.
2. Maintain a real-time inventory of third-party access: Track which vendors access which systems for faster response.
3. Review Salesforce logs for IoCs: Check IPs and user-agent strings provided by Salesforce.
4. Rotate credentials and integration tokens: Proactively rotate even if no official notification has been received.

Reauthorizing Gainsight Safely

• Use a dedicated, least-privileged integration user instead of admin accounts.
• Enable “Admin approved users are pre-authorized” in Salesforce Connected Apps to prevent token sprawl.
• Regularly audit integration users and OAuth grants to remove stale or over-privileged tokens.

Key Takeaway

This incident highlights that third-party OAuth access is part of your identity perimeter. Attackers increasingly target connected apps, refresh tokens, and non-human identities rather than hardened SaaS platforms. Defenders must implement continuous inventory, least-privilege access, short-lived tokens, and rapid revocation practices to reduce risk.