Salesforce has officially notified customers of a security incident involving unauthorized access to customer data. The breach was traced back to a compromised OAuth token associated with the Gainsight customer success platform, a third-party application that integrates with Salesforce environments.

According to notifications sent to affected customers, an unauthorized third party utilized the compromised Gainsight-linked credentials to gain access. Salesforce’s security team detected the suspicious activity originating from the compromised integration, which prompted an immediate investigation and response.

Details of the Unauthorized Access

The threat actor leveraged a compromised OAuth access token connected to the Gainsight application. OAuth tokens are a standard method for allowing third-party applications to access data from another service, such as Salesforce, without requiring direct user credentials. In this instance, the compromise of the token allowed the actor to exfiltrate data from customer instances where the Gainsight application was authorized.

Salesforce confirmed that upon detecting the unusual data extraction activity, it took steps to secure the affected environments. The company’s advisory did not specify the exact nature of the data that was accessed, as this would vary between affected customers based on their specific configurations and data fields.

Salesforce’s Response and Customer Guidance

In response to the incident, Salesforce immediately revoked the compromised access token to terminate the unauthorized access. The company then proceeded to notify all customers who were identified as being impacted by the threat actor’s activity. Salesforce explicitly stated that the incident did not originate from a vulnerability within its own core services.

The company provided guidance to its customers, recommending they review their own security audit logs and examine permissions granted to all connected third-party applications. This helps organizations verify the legitimacy of data access events and ensure that application permissions are aligned with the principle of least privilege.