More and more organisations increasingly rely on ecosystems of connected applications and integrations to drive business value. However, the recent incident involving Salesforce and a third-party app vendor underscores a sobering reality: the attack surface has extended well beyond the core platform.
What Happened?
On 19 November 2025, Salesforce issued a security advisory noting “unusual activity” tied to applications published by Gainsight that were connected to customer orgs.
Key facts:
- Salesforce stated the activity may have enabled unauthorised access to certain customers’ data through the Gainsight-published apps.
- The company emphasised the issue was not a vulnerability in the Salesforce core platform.
- As a response, Salesforce revoked all active and refresh tokens associated with the Gainsight apps and temporarily removed those apps from its AppExchange catalogue.
- Researchers estimate that more than 200 Salesforce customer-instances may have been impacted.
This is not an isolated case. In prior months, attackers exploited integrations (for example, the Salesloft Drift integration with Salesforce) to harvest OAuth/refresh tokens and exfiltrate large volumes of data.
Why This Matters to UK Organisations
For UK businesses particularly those subject to regulatory frameworks such as ISO/IEC 27001 / ISO/IEC 27002 controls, the National Cyber Security Centre (NCSC) guidance, or sector-specific regulations (e.g., critical national infrastructure, financial services) this incident shines a spotlight on a number of risk vectors:
- Integration Risk: Even if the primary SaaS platform (e.g., Salesforce) is hardened, connected third-party apps may introduce downstream vulnerabilities or misuse of trusted tokens.
- Supply-Chain / Vendor Risk: The vendor publishing the application (Gainsight) effectively became a conduit for attacker entry. Without robust vetting of app-publishers, organisations may be exposed.
- Token / OAuth Abuse: Attackers are increasingly leveraging OAuth tokens, refresh credentials and API access rather than exploiting classic software vulnerabilities. The compromised apps had permissions within the customer orgs.
- Governance & Oversight: Board-level oversight must extend beyond internal systems to third-party app ecosystems. For organisations using Salesforce (and similar cloud platforms), the concept of “zero-trust in the ecosystem” becomes relevant.
- Incident Response & Rapid Revocation: As seen, prompt revocation of tokens, cutting off app access and logging/monitoring of connected apps are critical to containment.
Risk Management: What To Do Now
Organisations should take the following steps (especially if they operate on Salesforce or similar SaaS ecosystems):
- Inventory All Connected Apps
- Review & Restrict Permissions (Least Privilege)
- Rotate and Revoke Access Credentials
- Vendor / App-Publisher Risk Assurance
- Monitor & Log Usage Continuously
- Board & Executive Reporting
Looking Ahead: Strategic Implications
- As platforms such as Salesforce become ever more central to business workflows, the rich third-party marketplace that adds value also becomes the adversary’s target. Attackers leverage trusted relationships, integrated credentials and API access rather than finding zero-days in the core platform.
- For UK-regulated sectors (financial-services, CNI, health) the supply-chain risk posed by third-party apps may become a regulatory focus. Boards must ask: “Do we know every external app with privileged access to our environment?”
- Given the scale of these breaches, we may well see new regulatory guidance in the UK emphasising SaaS-ecosystem risk, vendor token management and OAuth access control.
- Organisations embedding AI, automation or internal marketplaces of apps should treat each connected app as if it were a network node and apply zero-trust segmentation.
- Incident response plans must anticipate the revocation of tokens, removal of app-access and rapid forensic investigation of connected-app anomalies.
Conclusion
The recent Salesforce / Gainsight incident is a potent reminder that security boundaries in cloud-native organisations extend far beyond “our” apps. The ecosystem of integrations, managed packages and OAuth connections is a rich attack surface. For UK organisations especially those thriving in SaaS ecosystems governance, vendor-risk management, token-control, continuous monitoring and board-level oversight of the integration ecosystem are no longer optional. The next breach may not come via the platform; it will come via the app that had privileged access.
References
- “Salesforce investigating campaign targeting customer environments connected to Gainsight app” – Cybersecurity Dive. https://www.cybersecuritydive.com/news/salesforce-investigating-customer-connected-Gainsight/806093/
- “Security Advisory: Salesforce Gainsight Incident” – AppOmni blog. https://appomni.com/blog/salesforce-gainsight-unauthorized-access-security-advisory/
- “Salesforce Cuts Off Gainsight App Access After Detecting Data Exposure Risk – Mandiant Launches Investigation” – Benzinga. https://www.benzinga.com/markets/tech/25/11/48996753/salesforce-cuts-off-gainsight-app-access-after-detecting-data-exposure-risk-mandiant-launches-investigation