Gainsight Breach: SaaS Supply Chain Attack Exposes Salesforce Integrations

On November 19, 2025 Salesforce disclosed that Gainsight-published applications were used to gain unauthorized access to customer Salesforce data by abusing compromised OAuth tokens and API integrations; the incident, linked to ShinyHunters/Scattered Spider and building on a prior Salesloft Drift compromise, resulted in large-scale data exfiltration (credentials, AWS/Snowflake tokens) and an announced public data dump impacting 300+ companies. The report outlines the attack chain, challenges detecting token-based API abuse, recommended detections across authentication, API usage and data export telemetry, and remediation steps such as auditing connected apps, rotating tokens, tightening permissions, and enabling real-time logging and monitoring.