An ongoing security incident at Gainsight’s customer-management platform has raised fresh alarms about how deeply third-party integrations can affect cloud environments. The breach centers on compromised OAuth tokens connected with Gainsight’s Salesforce connectors, leaving unclear how many organizations touched and the type of information accessed.
Salesforce was the first to flag suspicious activity originating from Gainsight’s connected applications. As a precautionary measure, Salesforce revoked all associated access tokens and, for some time, disabled the concerned integrations. The company also released detailed indicators of compromise, timelines of malicious activity, and guidance urging customers to review authentication logs and API usage within their own environments.
Gainsight later confirmed that unauthorized parties misused certain OAuth tokens linked to its Salesforce-connected app. According to its leadership, only a small number of customers have so far reported confirmed data impact. However, several independent security teams-including Google’s Threat Intelligence Group-reported signs that the intrusion may have reached far more Salesforce instances than initially acknowledged. These differing numbers are not unusual: supply-chain incidents often reveal their full extent only after weeks of log analysis and correlation.
At this time, investigators understand the attack as a case of token abuse, not a failure of Salesforce’s underlying platform. OAuth tokens are long-lived keys that let approved applications make API
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: