NHI Forum

Notifications

Clear all

How the Latest Salesforce OAuth Breach Impacts Enterprise Identity Security

Astrix Security · 2025-12-01T15:08:07Z

Read full article here: Salesforce has issued a security advisory after detecting unauthorized access to customer data through compromised Gainsight application OAuth tokens. Threat actors leveraged these non-human identities (NHIs) to access multiple Salesforce instances, prompting immediate revocation of all active access and refresh tokens for Gainsight-published apps and temporary removal from the AppExchange. Attack Overview The breach unfolded in three distinct phases: Reconnaissance (Oct 23, 2025): Initial token validation testing via AWS Lambda from IP 3.239.45.43 using the python/3.11 aiohttp/3.13.1 user agent. Testing (Nov 16–18, 2025): Preliminary exfiltration attempts from proxy IPs using python-requests/X.X.X. Mass Exfiltration (Nov 18–19, 2025): Large-scale data extraction with the batch tool Salesforce-Multi-Org-Fetcher/1.0 from multiple VPN/proxy IPs. The prolific hacking group ShinyHunters claimed responsibility, reportedly accessing roughly 285 additional Salesforce instances following the Salesloft Drift breach in August. Why This Matters: Non-Human Identities Are the Target This incident highlights a recurring threat pattern: attackers increasingly target third-party integrations rather than individual users. In modern SaaS environments: OAuth tokens act as persistent, high-privileged NHIs. Tokens often go unmonitored across integrations. Compromise of a single token can yield access to entire customer environments, bypassing traditional perimeter controls. In essence, attackers inherit the privileges of the compromised token, enabling unauthorized data access and exfiltration without ever needing a user password. Immediate Actions for Impacted Organizations Security teams should treat all Gainsight-connected tokens and integrations as potentially compromised. Recommended steps: Revoke and rotate Gainsight credentials: Confirm all Gainsight-connected OAuth tokens in Salesforce are revoked. Disable or lock down related integration users. Rotate any remaining credentials previously shared with Gainsight. Audit third-party integrations: Enforce least-privilege access for all connected apps. Identify potential “backdoor” integrations created by attackers. Review Salesforce Data Access Logs: Look for anomalous bulk API calls or unusual data exports initiated by Gainsight users before revocation. Assume data exposure and rotate secrets: Rotate keys, tokens, and passwords associated with customer support data, attachments, or other sensitive resources accessed by Gainsight. Monitor official channels: Salesforce: Gainsight: Engage experts: Conduct a thorough NHI inventory to ensure all compromised identities are identified and secured. Gainsight Identifiers to Check Slack App IDs: A5FKXF3EV, ACUQBEDTL, AJHA60Q5C, A06MHS5K0SG Entra ID Application IDs: 6cd07c04-af3e-4917-b505-32a49a792f7c, 5be4377f-a2de-423d-b433-c9ce8016eb92 Google Workspace OAuth Client IDs: 982040983797, 674556516982, 909983063050 Chrome Extension ID: kbiepllbcbandmpckhoejbgcaddcpbno These identifiers help pinpoint critical integrations across environments. The Bigger Picture: NHIs as a Growing Attack Surface The Gainsight and Salesloft incidents underscore a critical truth: non-human identities are increasingly the primary target in supply-chain and OAuth attacks. Persistent privileges: Long-lived tokens often outlive their intended scope. Lack of visibility: Security teams cannot secure what they cannot see. Cross-organization risk: Third-party applications can bridge multiple systems, amplifying potential exposure. Organizations must implement continuous NHI discovery, token rotation, and identity-bound access to defend against these evolving threats. Key Takeaways OAuth tokens and service accounts are high-value NHIs and must be managed with the same rigor as human identities. Rapid discovery, rotation, and auditing of third-party integrations are critical after any compromise. Visibility into NHIs across SaaS, CI/CD, and cloud platforms is essential to prevent recurring supply-chain attacks.

Last Post

RSS

Astrix Security

(@astrix)

Trusted Member

Joined: 10 months ago

Posts: 32

Topic starter 01/12/2025 3:08 pm

Read full article here: https://astrix.security/learn/blog/salesforce-advisor-gainsight-breach/?utm_source=nhimg

Salesforce has issued a security advisory after detecting unauthorized access to customer data through compromised Gainsight application OAuth tokens. Threat actors leveraged these non-human identities (NHIs) to access multiple Salesforce instances, prompting immediate revocation of all active access and refresh tokens for Gainsight-published apps and temporary removal from the AppExchange.

Attack Overview

The breach unfolded in three distinct phases:

Reconnaissance (Oct 23, 2025): Initial token validation testing via AWS Lambda from IP 3.239.45.43 using the python/3.11 aiohttp/3.13.1 user agent.
Testing (Nov 16–18, 2025): Preliminary exfiltration attempts from proxy IPs using python-requests/X.X.X.
Mass Exfiltration (Nov 18–19, 2025): Large-scale data extraction with the batch tool Salesforce-Multi-Org-Fetcher/1.0 from multiple VPN/proxy IPs.

The prolific hacking group ShinyHunters claimed responsibility, reportedly accessing roughly 285 additional Salesforce instances following the Salesloft Drift breach in August.

Why This Matters: Non-Human Identities Are the Target

This incident highlights a recurring threat pattern: attackers increasingly target third-party integrations rather than individual users. In modern SaaS environments:

OAuth tokens act as persistent, high-privileged NHIs.
Tokens often go unmonitored across integrations.
Compromise of a single token can yield access to entire customer environments, bypassing traditional perimeter controls.

In essence, attackers inherit the privileges of the compromised token, enabling unauthorized data access and exfiltration without ever needing a user password.

Immediate Actions for Impacted Organizations

Security teams should treat all Gainsight-connected tokens and integrations as potentially compromised. Recommended steps:

Revoke and rotate Gainsight credentials:
- Confirm all Gainsight-connected OAuth tokens in Salesforce are revoked.
- Disable or lock down related integration users.
- Rotate any remaining credentials previously shared with Gainsight.
Audit third-party integrations:
- Enforce least-privilege access for all connected apps.
- Identify potential “backdoor” integrations created by attackers.
Review Salesforce Data Access Logs:
- Look for anomalous bulk API calls or unusual data exports initiated by Gainsight users before revocation.
Assume data exposure and rotate secrets:
- Rotate keys, tokens, and passwords associated with customer support data, attachments, or other sensitive resources accessed by Gainsight.
Monitor official channels:
- Salesforce:
- Gainsight:
Engage experts:
- Conduct a thorough NHI inventory to ensure all compromised identities are identified and secured.

Gainsight Identifiers to Check

Slack App IDs: A5FKXF3EV, ACUQBEDTL, AJHA60Q5C, A06MHS5K0SG
Entra ID Application IDs: 6cd07c04-af3e-4917-b505-32a49a792f7c, 5be4377f-a2de-423d-b433-c9ce8016eb92
Google Workspace OAuth Client IDs: 982040983797, 674556516982, 909983063050
Chrome Extension ID: kbiepllbcbandmpckhoejbgcaddcpbno

These identifiers help pinpoint critical integrations across environments.

The Bigger Picture: NHIs as a Growing Attack Surface

The Gainsight and Salesloft incidents underscore a critical truth: non-human identities are increasingly the primary target in supply-chain and OAuth attacks.

Persistent privileges: Long-lived tokens often outlive their intended scope.
Lack of visibility: Security teams cannot secure what they cannot see.
Cross-organization risk: Third-party applications can bridge multiple systems, amplifying potential exposure.

Organizations must implement continuous NHI discovery, token rotation, and identity-bound access to defend against these evolving threats.

Key Takeaways

OAuth tokens and service accounts are high-value NHIs and must be managed with the same rigor as human identities.
Rapid discovery, rotation, and auditing of third-party integrations are critical after any compromise.
Visibility into NHIs across SaaS, CI/CD, and cloud platforms is essential to prevent recurring supply-chain attacks.

Quote

Topic Tags

Astrix Security

Forum Statistics

8 Forums

847 Topics

865 Posts

3 Online

108 Members

Latest Post: Prevention-First Security: Orange Business’ Secrets Transformation Journey Our newest member: beondenood Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

NHI News

Legal & Policies