Salesforce blocks Gainsight tools while it reviews possible data leak: Here's what happened

Salesforce is investigating what it described as “unusual activity” involving Gainsight-published applications that may have exposed customer data, prompting the company to suspend access to the affected tools while the inquiry continues.

Access to Gainsight apps temporarily revoked

In a brief update posted on its status site, Salesforce said some Gainsight-developed applications that customers install and manage themselves may have allowed unauthorised access to certain Salesforce data. As a precaution, the company has revoked all active access to the applications.

Salesforce stressed that there was no evidence to suggest the issue stemmed from a flaw in its own platform, and said it was working to understand the extent of the activity.

Gainsight confirmed on its website that it is cooperating with Salesforce as the investigation unfolds, but did not provide additional details. Requests for further comment from the company were not immediately returned.

Growing risks in software integrations

Although the scale and nature of the incident remain unclear, security researchers note that attackers are increasingly targeting the connective tissue between major software-as-a-service platforms. Integrations that allow different systems to share data can also create high-value entry points for hackers if not properly secured.

Recent incidents underscore this pattern. Last month, Google said that a flaw in Oracle’s E-Business Suite had likely affected more than 100 organisations. Earlier in the year, Google disclosed that attackers had convinced employees at Salesforce customer organisations to install tampered versions of Salesforce’s Data Loader tool, enabling access to sensitive information.

Jaime Blasco, cofounder of Nudge Security, said these types of integrations have become prime targets. Writing on LinkedIn, he noted that attackers often bypass heavily fortified core platforms by exploiting connected services with elevated permissions. Speaking to Reuters, he added: “This is the new attack surface.”

Last month, in a separate story, it was also reported that cybercriminals tied to a series of ransomware attacks on UK retailers say they are behind the theft of nearly one billion records from a US cloud services provider, Salesforce. The hackers, operating under the name Scattered LAPSUS$ Hunters, told Reuters that they accessed large amounts of personal data by targeting organisations that use Salesforce’s products.

The group appeared to be a splinter faction of the broader LAPSUS$ gang and has claimed responsibility for breaches affecting Marks & Spencer, the Co-op, and Jaguar Land Rover earlier this year. According to security researchers, the outfit is monitored by Google’s Threat Intelligence Group under the identifier UNC6040, which has previously highlighted the group’s reliance on social engineering to compromise victims.

(With inputs from Reuters)