Mitigating the Gainsight–Salesforce Breach Risk with Token Security

Gainsight is a leading Customer Success Management (CSM) platform with deep integrations into systems like Salesforce. In November 2025, Gainsight suffered a major security breach in which attackers compromised OAuth tokens for its Salesforce AppExchange applications. These tokens allowed unauthorized access to customers’ Salesforce data. Salesforce confirmed abnormal activity through Gainsight’s connected app and responded by revoking all Gainsight-issued access and refresh tokens. Salesforce also emphasized the breach was not caused by a flaw in its platform, but stemmed from Gainsight’s external connection.

The incident’s scope was large. Google’s Threat Intelligence team identified more than 200 potentially affected Salesforce instances, and Gainsight serves around 1,000 customer organizations. Because Gainsight integrates with many platforms, Salesforce, Google Workspace, Microsoft 365, Zoom, Snowflake, and others, stolen OAuth credentials could be used to access multiple systems across its customer base. In response, Salesforce pulled Gainsight’s app from the AppExchange, and other marketplaces temporarily did the same. The event underscores how third-party integrations can become high-impact attack vectors.

The OAuth Token Compromise

This was a textbook SaaS supply-chain attack. Rather than exploiting vulnerabilities, attackers stole OAuth access tokens that allowed the Gainsight app to act inside customer Salesforce orgs. With these tokens, they executed API calls and exfiltrated data, bypassing Salesforce’s built-in security.

This attack resembles an August 2025 incident involving Salesloft’s Drift application, where attackers used stolen OAuth tokens to access data from more than 700 Salesforce customers. Over a billion Salesforce records were reportedly compromised in that case. These events highlight the rise of OAuth-based attacks: threat actors increasingly target third-party SaaS apps with wide, trusted access into enterprise environments. The Gainsight incident shows that organizations must scrutinize OAuth tokens and integrations with the same rigor applied to core infrastructure.

Our Recommended Actions to Mitigate OAuth Token Breaches

1. Rotate All Credentials Immediately: Treat all credentials held by a breached app as compromised. Revoke or rotate every token, API key, and secret across all connected systems.
2. Enforce Network Restrictions: Re-issue tokens bound to trusted IP ranges or cloud environments. Limit where tokens can be used to reduce abuse risk.
3. Scan for Secrets and Audit App Footprint: Use secret scanning across code, configuration, custom data fields and cloud workloads to uncover any lingering credentials. Map out the integration’s full scope and permissions.
4. Review OAuth Grants and Permissions: Remove unnecessary scopes and enforce least privilege. Reassess all connected apps and revoke unused or overly broad OAuth grants.
5. Enable Comprehensive Monitoring: Monitor service accounts and integration activity as closely as user activity. Enable API logging and anomaly detection for all third-party integrations.
6. Conduct a Focused Security Assessment: Determine exactly which systems the app accessed, what data was exchanged, and whether any unauthorized modifications occurred.
7. Coordinate with Vendors: Follow updates, indicators of compromise, and remediation guidance from both the third-party vendor and the platform provider.

The November 2025 Gainsight–Salesforce breach exemplifies a major shift in attacker strategy: exploiting trusted SaaS integrations via stolen credentials. Organizations must treat third-party applications as part of their security perimeter, maintaining inventories of integrations, enforcing the principle of least privilege, locking down network access, and continuously monitoring for anomalies.

How Token Security Helped Our Customers Rapidly Respond

At Token Security, we focus on preventing identity-based threats and compromises. Once the Gainsight breach was confirmed, we immediately assessed customer exposure. About half of our Salesforce-using customers had Gainsight integrations, making rapid action critical.

• Inventorying Gainsight Credentials: Using our discovery capabilities, we cataloged all Gainsight-related accounts and OAuth tokens across customer environments, including API keys, IAM users, Snowflake accounts, and Entra ID service principals. Some accounts were inactive or already removed, reducing risk. Others were active, such as a Gainsight AWS integration user with a recently updated access key or a Snowflake account with a fresh password change. This inventory allowed customers to quickly see where Gainsight had access.
• Credential Rotation and Restrictions: We either rotated or confirmed the rotation of every Gainsight-related credential, API keys, OAuth tokens, and other secrets. Although Salesforce had revoked its tokens, we ensured all other systems were also protected. When re-establishing integrations, we advised customers to implement network restrictions so that new credentials could only be used from Gainsight’s official environment.
• Monitoring and Threat Detection: We heightened monitoring of all Gainsight-linked accounts, looking for unusual logins, API calls, or data movements. This ensured no ongoing abuse remained after token revocation and provided customers with rapid visibility into any anomalies.
• Customer Guidance: We offered tailored recommendations based on each customer’s environment for example, removing unused service principals or reviewing downstream systems Gainsight accessed. This helped customers understand the full blast radius and verify data safety across connected systems.

Token Security’s approach enabled our customers to rapidly identify exposure and eliminate compromised credentials. As attackers increasingly target the app layer, vigilance around OAuth tokens, service accounts, and third-party integrations is essential to preventing breaches.

To learn more about how we helped our customer mitigate the Gainsight-Salesforce breach, request a demo today of the Token Security Platform.

‍