Overview
- Salesforce detected unusual activity via Gainsight-published applications, revoked all active access and refresh tokens, removed the apps from the AppExchange, and notified affected customers.
- The company reported no indication of a Salesforce platform vulnerability, saying the activity appears linked to the external connection used by the Gainsight apps.
- Google’s Threat Intelligence Group said it is aware of more than 200 potentially affected Salesforce instances, with Mandiant assisting notifications and advising audits, token revocations, and credential rotation.
- Gainsight acknowledged Salesforce connection failures following the revocations and said its internal investigation is ongoing; its app was also temporarily pulled from the HubSpot Marketplace as a precaution with no suspicious HubSpot activity observed.
- ShinyHunters claimed responsibility and asserted access to additional Salesforce instances, echoing techniques seen in the August Salesloft/Drift incident, though the full scope remains unconfirmed.