Salesforce has disconnected software firm Gainsight from “any function that depends on reading from or writing to Salesforce” after a security incident. 

Gainsight said Thursday that “Salesforce detected API calls using the Gainsight Connected App coming from non-whitelisted IP” addresses.

Salesforce said that it had detected unusual activity in “Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers” and that this likely “enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.”

It has revoked access, rotated tokens and said “there is no indication that this issue resulted from any vulnerability in the Salesforce platform.”

A Gainsight community manager told customers: “The Gainsight Connected App within Salesforce is currently inactive, which is causing disruption to several capabilities that require a live Salesforce connection. Engineering and Product leadership are actively engaged and treating this as a P1 customer-critical incident. Investigation and restore paths are in progress.”

In a security update on Gainsight’s page it said that “Zendesk connector access has [also] been revoked as a precaution.” 

(It was not immediately clear if that latter decision was related to a wave of phishing emails sent via Zendesk last month that saw Zendesk acknowledge “Bad actors” were sending emails that “look like legitimate contacts from companies who use Zendesk to communicate with their customers.”)

The Gainsight App has also been “temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact Oauth access for customer connections while the review is taking place,” it said.

“We will work with Hubspot on re-listing after thorough review. No suspicious activity related to Hubspot has been observed at this point.”

The incident this week comes after sales enablement firm Salesloft’s GitHub repository was compromised in March. The attackers used their access to compromise the “Salesloft Drift” application that many customers use to connect to Salesforce, and use their access to raid Salesforce instances over the summer leading to the loss of a wide range of customer datasets. 

(Cloudflare, Dynatrace, Elastic, Google, JFrog, Nutanix, Palo Alto Networks, Rubrik, Zscaler, were among those affected by the Salesloft incident.) 

In that incident, Mandiant said attackers appear to have been looking to harvest credentials stored in Salesforce instances for onwards attacks. 

It told users to:

  • Search Salesforce objects for potential secrets, such as:
  • AKIA for long-term AWS access key identifiers
  • Snowflake or snowflakecomputing.com for Snowflake credentials
  • password, secret, key to find potential references to credential material
  • Strings related to organization-specific login URLs, such as VPN or SSO login pages, and
  • Run tools like Trufflehog to find secrets and hardcoded credentials.

That is guidance that still stands as a security precaution irrespective of the extent or otherwise of the Gainsight incident. Stolen credentials are one of the top three biggest causes of cybersecurity incidents and data breaches globally; their exposure on Github repositories, in Salesforce instances, or other platforms remains a significant security challenge.

See also: How Salesloft got hacked - and everyone suffered

The link has been copied!