The Salesforce ecosystem just got a harsh reminder that the weakest link rarely lives inside the core platform. It often hides in a trusted third-party app with broad permissions and quietly forgotten tokens.

In 2025, attackers used exactly that path. A large data theft campaign started with abuse of the Salesloft Drift integration in August, then resurfaced in November through compromised Gainsight apps tied to Salesforce. The result: hundreds of Salesforce instances probed, OAuth tokens abused, and data from more than 200 companies exposed through Gainsight alone.

Yes, this is the Salesforce supply chain attack that pushed OAuth tokens and SaaS integrations into the spotlight.

Let’s look at what happened and how to cut off similar attacks before they reach your environment.

What is the Salesforce supply chain attack?

When people say “Salesforce got hacked” in this context, they are usually talking about a SaaS supply chain attack that abused:

• The Salesloft Drift integration with Salesforce, starting in early August 2025
• Gainsight published apps connected to Salesforce, exposed in November 2025

In both waves, attackers did not rely on a direct flaw in Salesforce itself. Instead, they:

1. Broke into a vendor’s environment, first around the Salesloft Drift integration, then around Gainsight apps.
2. Stole or abused OAuth tokens and related secrets used by those apps.
3. Used those tokens to call Salesforce APIs as if they were legitimate, trusted integrations.

Salesforce has repeatedly stated there is no evidence of a core platform vulnerability. The weakness lies in external apps and integrations that hold powerful, long lived access to customer data.

How was the Salesforce supply chain attack discovered?

The story unfolds in two main chapters.

Chapter 1 – Salesloft Drift campaign (August 2025)

Security teams first noticed something unusual in August 2025, when threat intelligence groups and incident responders described a large data theft campaign targeting Salesforce instances through the Salesloft Drift app.

A condensed timeline:

• August 8, 2025
  Attackers began abusing compromised OAuth tokens connected to Salesloft Drift to reach Salesforce environments at scale.
• August 8–18, 2025
  The threat actor, tracked as UNC6395, systematically exported large volumes of data from many Salesforce orgs. They focused on secrets such as cloud access keys, passwords, and analytics platform tokens buried inside Salesforce records and attachments.
• Around August 20, 2025
  Salesloft, working with Salesforce, revoked active access and refresh tokens for the Drift integration. Salesforce removed or disabled the Drift listing in the ecosystem as a containment step.
• Late August 2025
  Public advisories described a far-reaching campaign that may have touched hundreds of organizations and involved theft of credentials and business data from numerous Salesforce instances.

Threat intelligence groups linked the operation to UNC6395, with ShinyHunters and related data theft clusters mentioned in connection with parts of the activity.

Chapter 2 – Gainsight apps and the November 2025 exposure

The second chapter surfaced in November 2025, when Salesforce and Gainsight disclosed unusual activity involving Gainsight published apps.

Key points from that stage:

• Salesforce detected suspicious behavior from Gainsight apps connected to customer orgs and issued a security alert about possible data access through those apps.
• Salesforce revoked access and refresh tokens associated with the affected Gainsight integrations, and temporarily removed or disabled them in customer environments.
• Investigators confirmed that this incident was linked to the same broader campaign that hit Salesloft Drift. Attackers reused knowledge and secrets from the earlier wave to compromise Gainsight, then pivoted into Salesforce again through those apps.
• Analysts and early reports indicated that more than 200 Salesforce customers had some data viewed or copied via Gainsight apps. Gainsight acknowledged that mostly business contact and case related information was involved.

Taken together, the “Salesforce supply chain attack” is not a single exploit, but a multi stage story: one campaign, two major vendor touchpoints, and repeated abuse of the same core weakness, which is excessive trust in third party integrations.

Exploitation and impact

The mechanics of the attack are a classic example of how SaaS supply chain compromises work.

How the attackers broke in

Across both Salesloft and Gainsight incidents, investigators observed a similar pattern:

1. Compromise of a vendor or integration
   Attackers gained access to infrastructure or services related to the Salesloft Drift integration, then later to Gainsight apps and surrounding components.
2. Theft and abuse of OAuth tokens and secrets
   They obtained OAuth tokens, refresh tokens, and embedded secrets that allowed those apps to talk to Salesforce and other platforms.
3. Stealthy Salesforce API abuse
   With valid tokens in hand, attackers issued Salesforce API queries to core objects such as Accounts, Opportunities, Users, and Cases. From Salesforce’s point of view, the traffic came from an already authorized app.
4. Data mining for secrets
   Once they had a copy of the data, the group sifted through it for credentials, tokens, and keys that could be reused against other systems such as cloud providers, databases, and analytics platforms.

Why this attack is so dangerous

Three factors make this style of campaign particularly serious:

• No Salesforce zero day required
  The attackers rode on top of trusted integrations. Salesforce itself did not need to be exploited. Any vendor in the ecosystem with weak controls can become a springboard.
• OAuth tokens are powerful and often ignored
  OAuth tokens can live longer than user passwords, sit outside normal rotation, and grant wide API access. Once stolen, they act as a skeleton key for the connected Salesforce org.
• SaaS to SaaS traffic is easy to overlook
  API calls from tools like Drift or Gainsight resemble normal automation and background sync. Without SaaS aware monitoring, large exports can look like routine operations rather than active data theft.

Kill the chance of Salesforce supply chain breaches with Saner Platform

The old line “attackers only need one weak link” applies perfectly here. For Salesforce customers, that weak link is often a third party app, not the CRM itself.

Saner Platform helps shrink that attack surface so incidents like the Salesloft and Gainsight breaches become far harder to pull off.

Saner Continuous Vulnerability and Exposure Management (CVEM) gives security and IT teams one platform to uncover weaknesses across endpoints, servers, and the broader cloud footprint that feeds data into SaaS platforms such as Salesforce.

Here is how Saner helps against this type of attack:

• See every risk in one place
  Bring vulnerabilities, misconfigurations, and exposures into a unified view. Track the systems that store, process, or sync the same data that later flows into Salesforce.
• Prioritize issues that open doors for supply chain abuse
  Use intelligent risk scoring based on exploitability and business impact to focus on exposure that makes SaaS breaches easier, such as missing patches, weak authentication, and risky internet facing services.
• Gain real time visibility across your estate
  Run fast, continuous scans to spot new weaknesses before attackers combine them with stolen tokens or compromised vendors.
• Close gaps with integrated remediation
  Roll out patches, configuration fixes, and security baselines directly from the same console. Coordinate changes so critical systems tied to Salesforce and other SaaS apps do not lag behind.
• Stay aligned with compliance and security benchmarks
  Map controls to standards such as HIPAA, PCI, ISO, and NIST CSF, and track posture drift over time. Compliance data then feeds practical SaaS risk reduction rather than living in a separate reporting layer.

Check out Saner Platform here??