Customer success platform Gainsight has confirmed a security incident where a threat actor gained unauthorized access to customer data, including OAuth access tokens. These tokens were subsequently used to access customer instances within the Salesforce ecosystem. The incident highlights ongoing security risks associated with third-party application integrations.

The company’s security team first detected suspicious activity on February 20. Following this detection, Gainsight initiated an investigation with the assistance of a third-party cybersecurity firm to determine the scope and nature of the breach. Affected customers were officially notified of the security event on February 27.

Details of the Security Breach

The investigation revealed that the threat actor’s initial point of entry was through the use of stolen credentials to access a Gainsight employee’s account. This account was part of an internal sandbox environment that was not intended to have access to production systems. However, the attacker managed to escalate their privileges from this initial foothold.

This privilege escalation allowed the actor to gain unauthorized access to a production database. According to reports, this database contained a subset of customer data and, critically, OAuth access tokens. The threat actor successfully exfiltrated this data, including the tokens that grant access to connected Salesforce environments.

Gainsight’s Response and Customer Impact

In response to the breach, Gainsight took several immediate actions to mitigate the impact on its customers. The company revoked the compromised OAuth access tokens to prevent further unauthorized access to customer Salesforce instances. In addition, Gainsight disabled integrations for all impacted customers as a precautionary measure.

Gainsight provided guidance to its affected customers to help them secure their environments and investigate for any signs of malicious activity. The incident serves as another example of attackers targeting the Salesforce ecosystem through connected third-party applications, using stolen authentication tokens as a primary vector for compromise.

Source: https://www.csoonline.com/article/4094506/oauth-token-compromise-hits-salesforce-ecosystem-again-gainsight-impacted.html