Preventing OAuth Credential Exposure: Lessons from Gainsight–Salesforce

Read full article here: https://www.token.security/blog/mitigating-the-gainsight-salesforce-breach-risk/?utm_source=nhimg

In November 2025, attackers compromised OAuth tokens for Gainsight’s Salesforce AppExchange applications, granting unauthorized access to customers’ Salesforce data. Salesforce confirmed abnormal activity, revoked all Gainsight-issued tokens, and emphasized that this was not a Salesforce platform vulnerability, but an abuse of a trusted third-party integration.

Scope of the Incident

• Over 200 Salesforce instances were potentially impacted.

• Gainsight integrates with multiple platforms, including Salesforce, Google Workspace, Microsoft 365, Zoom, and Snowflake, amplifying potential impact.

• OAuth access and refresh tokens allowed attackers to execute API calls and exfiltrate data, bypassing built-in platform security.

• The breach reflects a growing trend of SaaS supply-chain attacks, targeting trusted third-party apps rather than core platform vulnerabilities.

Key Mitigation Steps

1. Rotate All Credentials Immediately: Revoke or rotate every token, API key, and secret across affected systems.

2. Enforce Network Restrictions: Restrict token usage to trusted IP ranges or environments.

3. Scan for Secrets and Audit Integrations: Discover lingering credentials and map the full integration footprint.

4. Review OAuth Permissions and Scopes: Remove unnecessary privileges and enforce least privilege.

5. Enable Continuous Monitoring: Track service account activity and integration usage for anomalies.

6. Conduct a Focused Security Assessment: Determine accessed systems, data flows, and any unauthorized modifications.

7. Coordinate with Vendors: Follow remediation guidance from both the third-party vendor and the platform provider.

How Token Security Helped Customers Respond

• Credential Inventory: Cataloged all Gainsight-related accounts and OAuth tokens across environments.

• Rotation and Restrictions: Rotated credentials and implemented network restrictions for new tokens.

• Monitoring and Threat Detection: Heightened logging and anomaly detection to ensure no ongoing abuse.

• Customer Guidance: Advised on removing unused accounts, auditing downstream systems, and verifying data safety.

Takeaway

The Gainsight–Salesforce breach underscores that third-party OAuth access is part of your identity perimeter. Organizations must treat integrations, service accounts, and tokens with the same rigor as core infrastructure: maintain inventories, enforce least privilege, apply network restrictions, and continuously monitor for anomalies.