Salesforce has launched an investigation into what it described as “unusual activity” tied to applications published by Gainsight, which may have exposed customer data. In response, Salesforce has temporarily revoked access to the affected tools while it works to determine the scope of the incident.
According to a brief notice on its status site, Salesforce said that certain Gainsight-developed apps installed and managed by customers “may have enabled unauthorized access to certain customers’ Salesforce data.” It added that all active access to those applications has been revoked as a precaution. The company stressed there is “no indication that this issue resulted from any vulnerability in the Salesforce platform.”
Gainsight has confirmed it is cooperating with Salesforce while the investigation proceeds, although it has not provided any further detail on how or when the unauthorized access might have occurred.
Third-party Integrations: A Rising Attack Vector
While Salesforce has not yet released a full breakdown of the incident’s impact, this case highlights a broader trend in cybersecurity—attackers exploiting the integrations between major Software-as-a-Service (SaaS) platforms rather than striking the core systems themselves. Security researchers observe that access points offered by partner applications and connectors are increasingly viewed as high-value targets.
Jaime Blasco, co-founder of Nudge Security, commented that “Attackers don’t need to breach the core platform when they can compromise an integration with privileged access. This is the new attack surface.” Earlier this year, similar incidents affected customers of Salesforce and other cloud platforms via exploited third-party tools, underscoring the systemic risk posed by loosely secured integrations.
What Organizations Should Consider
Given the ongoing investigation, organizations using Salesforce and connected third-party applications like those developed by Gainsight should review their app-ecosystem permissions immediately. Ensuring strict least-privilege access, rotational credentials, and token-revocation protocols are key defensive steps. Companies may also want to suspend non-critical integrations temporarily and monitor for abnormal token usage or data-exfiltration patterns.
As the investigation continues, Salesforce and Gainsight have committed to updating affected customers and sharing guidance through official channels.
