What the Salesloft and Gainsight Breaches Really Tell Us About NHI Risk
For years, enterprises have fortified their perimeter - hard MFA, hardened SaaS, locked-down identity layers. But in 2025, the weakest link isn’t the castle gate anymore. It’s the messenger walking through it with unquestioned trust.
In today’s ecosystem, that messenger is an integration with privileged access, and the recent Salesloft and Gainsight breaches exposed just how vulnerable that blind spot is. Attackers didn’t battle their way in - they entered as invited guests.
Security teams who understand this shift are already ahead of the rest of the industry.
The Pattern: Compromise the Integration, Skip the Hard Part
Salesloft to Salesforce
In August 2025, threat actor UNC6395 compromised OAuth and refresh tokens tied to the Drift integration.
Those tokens - trusted Non-Human Identities (NHIs) - opened direct, legitimate access to hundreds of Salesforce orgs.
Once inside, attackers didn’t stop at CRM data. They exfiltrated downstream secrets:
- Snowflake tokens
- Cloud access keys
- Support-case content
- Internal operational metadata
They bypassed MFA and stepped straight into authenticated privilege.
Gainsight to Salesforce
On November 21, Just weeks later, Salesforce disclosed unusual activity tied to another integration - Gainsight.
Again: no Salesforce vulnerability, no platform exploit.
The door was opened by an integration holding elevated OAuth scopes - another NHI trusted by default. Salesforce’s statement was unambiguous: “No indication that this resulted from any vulnerability in the Salesforce platform.”
Salesforce revoked all active access and refresh tokens for the gainsight apps and removed those apps temporarily from the AppExchange. New reporting suggests the Gainsight breach might reuse secrets taken from the Salesloft/Drift incident, indicating that attackers are chaining these breaches.
Google Threat Intelligence is attributing the Gainsight breach to the related threat-actors that hit Salesloft (clusters such as UNC6240 / ShinyHunters).
The Shared Pattern: NHIs as High Privilege Attack Vectors
Both breaches followed the same blueprint - and it’s one every modern defender must internalize:
- Compromise an integration token (NHI with broad scopes)
- Enter customer environments with full legitimacy
- Move laterally across connected systems
- Harvest embedded credentials and secrets
- Pivot into cloud infrastructure
This is large-scale, low-friction supply-chain compromise powered by unmonitored NHIs. Defenders who don’t see this pattern are operating blind.
What You Can Do Now - If You Want to Stay Ahead
1. Inventory premium-scope integrations
Map every integration, service account, and bot touching critical systems.
If you can’t see it, you can’t defend it.
2. Govern third-party integrations like first-class identities
Every vendor app is now part of your attack surface.
Demand audit logs, token controls, and operational transparency.
3. Scope and rotate all tokens / service accounts
Least privilege is not optional.
Long-lived tokens are liabilities - shorten them.
Broad scopes are risks - tighten them.
4. Formalize NHI-focused incident triage
If you find a compromised token:
- Revoke instantly
- Rotate downstream secrets
- Block or delete the previous versions
- Trace every integration that touched that token
- Assess which downstream identities could be abused
- Model possible lateral movement paths
Teams who do this well are the ones who stop incidents early - before attackers reach the crown jewels.
The Bottom Line
Sophisticated attackers no longer storm the castle.
They compromise the trusted identity already carrying the master key - the integration, the bot, the token, the NHI.
Security teams who want to lead - not react, must elevate NHI security to the same level as human identity.
Because in 2025, the kingdom doesn’t fall through the gate - it falls through the integration.
.png)
