5
min read
November 21, 2025

Salesforce Customers Hit with ANOTHER Third-Party-Vendor Data Breach: What You Need to Know

Melissa Garcia
Melissa Garcia
Content Marketing Manager
HomeBlogMarket TrendsSalesforce Customers Hit with ANOTHER Third-Party-Vendor Data Breach: What You Need to Know

Yet ANOTHER third-party breach has hit Salesforce customers - this time involving Gainsight. While details are still unfolding, the incident shows that the Salesforce data breach battle isn't over.

In the past few months, numerous Salesforce customers have been hit with third-party data breaches

Back in September, the FBI issued a FLASH alert, warning Salesforce customers and sharing indicators of account compromise tied to the hacker groups known for targeting Salesforce instances.

This breach is part of a larger pattern. Data-theft and extortion campaigns are rising, and threat actors are increasingly going after the SaaS supply chain. 

The Gainsight attack follows closely behind the Salesloft/Drift compromise, where attackers moved through connected apps to reach Salesforce customer data. 

These incidents highlight a bigger trend: attackers are targeting the third-party apps and integrations connected to companies' SaaS environments - and it's bad. 

Salesforce Was Hit With Another Third-Party Data Breach

Let's get to the facts: Salesforce has confirmed unusual activity coming from Gainsight applications connected to customer environments.

What exactly happened?

Salesforce reported that a threat group - likely the same cluster behind the Salesloft/Drift breach (hacker groups UNC6040 and UNC6395) gained unauthorized access to certain customers’ Salesforce data through Gainsight’s connected applications via Oauth. In other words, their shadow apps. 

In response, Salesforce revoked all active access and refresh tokens tied to Gainsight-published apps, and temporarily removed them from the AppExchange. 

Gainsight also pulled its app from HubSpot’s Marketplace, and revoked Zendesk connector access as a precaution - though no suspicious activity was found in those areas (yet…)

The exact number of affected Salesforce customers remains unknown, but Gainsight serves more than 1,000 organizations - many of which are major enterprises.

What This Means for Salesforce Customers

This incident (and the ones before it) are another reminder that third-party integrations can quickly become a deadly point of exposure.

The real issue isn’t necessarily Salesforce itself - it’s the growing ecosystem of connected SaaS apps that inherit trusted access into a company’s core SaaS environments. 

Threat actors are exploiting OAuth tokens, integration permissions, and mismanaged connectors to move downstream from one vendor to HUNDREDS of customer environments at once.

Put simply: your vendor’s compromise can instantly become your compromise.

Salesforce’s response - revoking tokens across Gainsight and Salesloft/Drift - highlights how deeply integrated these apps are, and how quickly attackers can move through the supply chain.

Bottom line? You’re only as secure as your weakest vendor.

What Security Teams Need to Know About Third-Party SaaS Vendors

Third-party SaaS tools are now one of the fastest-growing risk surfaces in the enterprise. Most security teams STILL don’t have full visibility into:

  • which apps are connected to their SaaS environments

  • what permissions those apps have

  • whether those permissions are actually necessary

  • whether the tokens have been abused or compromised

  • and how many employees are unknowingly granting access through OAuth

This incident highlights how attackers are increasingly targeting these blind spots (many created by employee negligence), instead of going after the primary SaaS provider directly.

Let's elaborate further here: when employees unknowingly grant overprivileged access to various applications, they are opening the door to a slew of data security risks. 

However, it's not always the employees fault. Most users have absolutely no way to understand the security risks tied to the permissions they approve. They’re not security people - they’re simply employees trying to move along and get their work done as efficiently as possible.

It’s on the security teams to set guardrails, continuously monitor connected applications, control permission creep, and understand the risks that third-party vendors (and their vendors!) introduce. 

Without that oversight, one single unassuming over-permissioned app can become the biggest breach of the year. 

How DoControl Prevents Third-Party SaaS Data Breaches

A breach like this is exactly the type of downstream SaaS risk DoControl is designed to prevent.

DoControl helps organizations by:

  • Identifying EVERY connected third-party app that has access to your SaaS environment - including apps security teams didn’t know existed.
  • Providing continuous monitoring, so teams immediately know when an integration behaves outside of baseline norms.

  • Highlighting high-risk or over-permissioned integrations, so unnecessary access can be removed before it becomes an entry point.
  • Detecting abnormal behavior from connectors, OAuth tokens, and user activity tied to third-party apps.
  • Automatically revoking risky tokens and enforcing security policies via remediation workflows, cutting off the exposure and eliminating risks without slowing down the business.
  • Granting security teams a list of tailored recommendations, in case they want to manually investigate and dive deeper into certain apps and permissions

If these controls were in place, customers could have quickly identified unusual Gainsight or Salesloft/Drift behavior, restricted their access, or revoked tokens before attackers could leverage them and cause detrimental damage.

Key Takeaway

These back-to-back attacks are a reminder that your SaaS ecosystem is only as strong as the third party apps connected to it. 

Your vendor's risk becomes your risk.

Threat actors know this, and they’re exploiting the gaps on purpose. With the right controls in place - 24/7 visibility, contextual monitoring, and automated remediation workflows - security teams can close those gaps before they become breaches. 

The Salesforce headlines may be endless - but your third-party risk doesn’t need to be.

{{cta-1}}

Sources: 

Want to learn more?

See our third-party app discovery & remediation module here

Learn about third-party app risk in SaaS environments here

Get your SaaS exposure (without talking to sales…) here

See a demo here

Melissa Garcia
Melissa Garcia
Content Marketing Manager

Melissa leads DoControl’s content strategy, crafting compelling and impactful content that bridges DoControl’s value proposition with market challenges. As an expert in both short- and long-form content across various channels, she specializes in creating educational material that resonates with security practitioners. Melissa excels at simplifying complex issues into clear, engaging content that effectively communicates a brand’s value proposition.

See what third party apps are leaking to your data to the 🌎

See which apps are connected, what permissions they have, what their risks are, who's connecting them, and more.
Start here
   

Get updates to your inbox

Our latest tips, insights, and news

Related posts