A powerful supply-chain hack has rattled the SaaS world — attackers managed to siphon off sensitive data from more than 200 companies’ Salesforce systems via a third-party integration. The breach centres around a customer-success platform and its connection to Salesforce, which enabled unauthorized access into its clients’ CRMs.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
How the Breach Happened
The incident traces back to applications published by the customer-success company, which many businesses use to manage post-sales operations. Through these integrated apps, the threat actor gained access tokens and used them to navigate into customers’ Salesforce environments. Because these apps are installed and managed by the companies themselves, the attackers didn’t need to break into Salesforce’s core platform: they simply exploited trust relationships.
Salesforce, upon detecting unusual activity, quickly cut access — revoking all active and refresh tokens for the compromised apps. The provider also temporarily yanked these apps off its marketplace, citing “precautionary measures” while investigations are underway.
Who’s Behind the Attack
A hacker group has claimed responsibility, saying they carried out the breach after earlier compromising another service connected to Salesforce. According to their claim, they leveraged secrets and tokens harvested during that previous attack to pivot into this latest operation. In the hacker channels, they’ve even threatened to launch an extortion website for the victims — a tactic they’ve deployed in past breaches.
Fallout and Response
Gainsight has confirmed the breach and said it is working with a well-known incident-response firm to forensically examine exactly what happened. It insists the breach was caused by the app’s external connection and not due to a vulnerability in Salesforce itself.
On its end, Salesforce says it has already notified affected customers and emphasizes that the attack exploited the integration layer, not any flaw in its core. Businesses that used the affected Gainsight integration are now scrambling to audit their systems, reset credentials, and harden their third-party connections — a loud wake-up call for how risky SaaS dependencies can be.
