Supply chain, Data Security

Hundreds impacted by Salesforce third-party breach

Salesforce American cloud-based software company in Manhattan, New York, NY, USA. August 24, 2024

More than 200 organizations may have had their Salesforce instances compromised following the breach of connected apps by Gainsight, The Register reports.

Third-party OAuth tokens have been leveraged by attackers associated with ShinyHunters to infiltrate the Salesforce instances, echoing the hacking group's attack campaign months ago, according to Google Threat Intelligence Group principal analyst Austin Larsen. All active access and refresh tokens linked to Gainsight apps have already been quashed by Salesforce, which also removed the impacted apps from AppExchange amid an ongoing investigation.

"There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app's external connection to Salesforce," said Salesforce spokesperson Allen Tsai.

Such a development should prompt organizations to conduct software-as-a-service environment audits, including reviews for Salesforce-connected third-party apps, noted Larsen, who also called for the revocation of unused or suspicious apps' tokens and the prompt rotation of credentials upon detection of suspicious activity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds