There’s a particular kind of déjà vu that appears when you watch the same failure repeat, not because people didn’t know better, but because the system itself was built to fail this way. That’s where we are with the news that Salesforce customers have been breached again, this time through Gainsight, a customer success platform that, like Drift before it, enjoys a deep and poorly governed integration into the Salesforce ecosystem.

If you haven’t been following the pattern, here it is in clean, brutal lines:

No one hacked Salesforce.
They hacked the trust relationships we built around Salesforce.
And those relationships are the real attack surface now.

This is not an “app breach story.” This is a story of trust collapse in enterprise SaaS architecture. And it’s only going to get worse, not because the technology is fundamentally broken, but because we’re treating trust as an automatic byproduct of vendor selection instead of something we deliberately manufacture and maintain.

I. The Attack That Wasn’t Supposed to Happen Twice

In the spring, a ShinyHunters-adjacent group hit organizations’ Salesforce environments via vishing campaigns: low-sophistication, high-yield. In late summer, the same threat cluster hit Drift (owned by Salesloft), stole OAuth tokens, and used Drift’s permissions to slip into hundreds of Salesforce orgs with whatever access those orgs had initially been granted.

Now the cycle has repeated, nearly beat for beat, through Gainsight.

This tells us three things:

The attackers did not need to innovate. They reused the playbook because the structural weakness hasn’t changed. When you find a skeleton key that opens hundreds of doors, you don’t invent a new lock-picking technique. You just keep using the key.

The defenders did not adapt. The same trust inheritance weaknesses remained exposed. This isn’t a failure of awareness—everyone knew OAuth tokens were powerful. It’s a failure of governance architecture. Knowing something is dangerous and actually engineering controls around that danger are entirely different activities.

The blast radius is expanding. Drift was bad. Gainsight is worse because it connects not just to Salesforce but also to Slack, Teams, Zendesk, HubSpot, Snowflake, Jira, and beyond. Each additional integration point isn’t an additive risk. It’s multiplicative risk, because every connection creates pathways into systems that were never designed to trust each other directly.

You can think of this less like a breach and more like someone quietly stealing a universal garage opener and realizing it works for an entire neighborhood. The vulnerability isn’t in any individual garage. It’s in the trust architecture that the opener itself would never be compromised.

II. The Real Attack Vector: OAuth, Not Apps

Let’s be explicit about what’s happening: The attackers aren’t targeting code. They’re targeting identity. More specifically, they’re targeting inherited trust that was granted once and then forgotten.

OAuth tokens are little packets of inherited trust. They say:

“This app can see these objects.”
“This app can act on behalf of this user.”
“This app has standing permission to go wherever the integration needs to go.”

If a token is stolen, the attacker now has persistent, MFA-free access into critical data stores with whatever permissions the business originally—and thoughtlessly—granted.

In most companies, those permissions are not scoped tightly. They look like: “Just give the integration everything it asks for—Sales needs it working by Monday.”

And that’s how you get a marketing tool (Drift) with full access to objects it should never touch, and a customer success platform (Gainsight) that can see deep into business systems far outside its lane.

Here’s what makes this particularly insidious: OAuth was designed correctly. The problem isn’t the technology. It’s how organizations treat the trust relationships the technology enables. OAuth tokens are supposed to be:

• Narrowly scoped to specific resources.

• Regularly rotated based on risk assessment.

• Monitored for anomalous usage patterns.

• Revocable when business relationships change.

• Audited against the principle of least privilege.

Instead, they’re treated like set-it-and-forget-it API keys from 2010. We granted these permissions once during a hurried procurement process and never revisited them. The integration worked, the sales team got their dashboard, and everyone moved on.

This is how “just a vendor integration” becomes a global compromise. The trust we granted was:

• Invisible — Most organizations can’t even inventory their active OAuth tokens.

• Permanent — Tokens live forever unless actively revoked.

• Ungoverned — No one is measuring whether granted permissions match actual usage.

• Inherited without limits — Trust cascades through vendor relationships with no friction

This isn’t security debt. It’s trust debt. And the bill is coming due.

III. The SaaS Supply Chain Is a Hidden Superhighway

Enterprises tell themselves comforting lies:

“We only use best-in-class SaaS.”
“Everything is secure because it’s in the cloud.”
“If there were a problem, Salesforce would tell us.”

Sure. Except that your Salesforce org doesn’t exist alone. It is connected to: Drift, Gainsight, Snowflake, ServiceNow, Slack, Teams, HubSpot, Zendesk, Jira, and dozens more you don’t even remember approving.

Each connection carries OAuth tokens. Each OAuth token carries inherited trust. Each node is connected to five more nodes. None of it is mapped. Almost none of it is monitored. And absolutely none of it is understood by the people who can actually revoke access.

This is not a security strategy. It’s an ungoverned trust network that looks a lot like unsecured critical infrastructure. Because that’s precisely what it has become.

The real problem is that we’ve built enterprise software architecture on a fundamentally false premise: that trust, once established, can be safely ignored. We treat vendor integrations as one-time decisions rather than as ongoing trust relationships that require continuous validation.

Think about what happens when you onboard a new SaaS tool:

1. Procurement evaluates the vendor (once)

2. Security reviews the integration (maybe)

3. IT grants the requested permissions (often over-scoped to avoid troubleshooting later)

4. The integration goes live.

5. Everyone forgets it exists.

There’s no step six. No continuous monitoring. No periodic re-evaluation of whether those permissions still match business needs. No audit trail showing which OAuth tokens have access to which data at what times. No alerting when a token suddenly starts behaving differently.

We engineered a trust architecture with no instrumentation, no feedback loops, and no expiration dates. Then we acted surprised when attackers exploited exactly that gap.

IV. ShinyHunters Didn’t “Hack” Anything; They Ran a Business Model

ShinyHunters is not a lone-wolf crew. They are a scaled, market-driven extortion operation. Their preferred mode of attack:

1. Compromise with a vendor

2. Steal OAuth tokens

3. Pivot to hundreds of connected customers.

4. Monetize the blast radius.

Call it what it is: Identity-layer ransomware.

And they keep doing it because the architecture keeps letting them. Why invent a new exploit when enterprises keep handing out house keys?

This is the insight that should terrify every CISO: The attackers have discovered that identity is more valuable than infrastructure. They don’t need to break into your servers anymore. They just need to compromise on one vendor that you already trust, inherit that trust, and walk through the front door.

The economics are brutally efficient. One successful vendor compromise can yield access to hundreds or thousands of downstream customers. The attack surface is enormous and largely undefended. And the best part (from the attacker’s perspective) is that the victims can’t easily tell they’ve been compromised, because the access looks legitimate. It is legitimate; it’s using credentials that the victim organization voluntarily granted.

This is the nightmare scenario that security professionals have been warning about for years: when the supply chain itself becomes the primary attack vector. But we kept treating it as a hypothetical problem. It’s not hypothetical anymore.

V. Salesforce’s Emergency Kill Switch: A Red Flag Hiding in Plain Sight

When Salesforce learned what happened, they immediately revoked all Gainsight tokens, so quickly that even Gainsight thought it was a technical glitch.

This is the moment where you’re supposed to ask:

• Why did Salesforce have to fix this before the vendor could?

• Why couldn’t customers revoke access themselves?

• Why do we have platforms with no inventory of which apps they’re connected to?

• Why do we allow third parties to retain long-lived keys to core systems?

Salesforce’s intervention was correct. It was also a signal that the governance layer is failing. If Salesforce has to rescue both the vendor and the customers from a breach vector created by over-permissioned integrations, the ecosystem itself is no longer trustworthy.

Think about what this reveals: The platform provider had to step in because neither the vendor nor the customers had adequate visibility into or control over the trust relationships they’d created. That’s a fundamental failure of governance architecture.

This isn’t about Salesforce being particularly good or bad at security. It’s about the fact that the only entity with the power to rapidly contain the breach was the platform itself, because the trust architecture wasn’t designed to give customers or vendors the tools to manage their own trust relationships effectively.

VI. The Collapse of Implied Trust

The unspoken premise of modern SaaS architecture is: “If we trust App A, and App A trusts App B, then by the transitive property, we trust everything App B touches.”

This is absurd. But it’s also how Salesforce, Gainsight, Slack, Snowflake, and your entire go-to-market stack currently works.

Trust is treated as:

• Infinite (never expires or degrades)

• Invisible (can’t be measured or observed)

• Permanent (no natural decay or revocation)

• Ungoverned (no continuous validation)

• Inherited automatically (no friction in transmission)

This is why the Drift → Gainsight → Salesforce cycle is not surprising. It’s predictable. We built a system that drifted in trust by default, then expressed confusion when attackers exploited that drift.

The problem is that trust should never be automatic. Real trust—the kind that can actually secure critical infrastructure—requires continuous evidence. It requires proving, over and over, that the relationship still makes sense, that the permissions remain appropriate, and that the vendor maintains an adequate security posture.

We need to stop thinking about trust as a binary state (trusted/untrusted) and start thinking about it as a manufactured condition that requires ongoing maintenance. Trust doesn’t happen. It’s built. And if you’re not actively building it, it’s eroding.

VII. This Is What Trust Debt Looks Like

Enterprise security is not failing because companies are stupid. It’s failing because the architecture incentivizes speed over governance. And speed always takes trust for granted.

Your SaaS stack today is:

• A pile of untracked connections

• A cluster of over-scoped permissions

• A graveyard of long-lived tokens

• A network of vendors your procurement team doesn’t even remember approving

This is trust debt: the accumulated, unseen liability created when you rely on inherited trust rather than measured trust.

Drift was a trust debt. Gainsight is trust debt. Whatever gets compromised next will be trust debt, too. Unless we change the model.

Trust debt accumulates silently. Every integration you approve is done without properly scoping permissions. Every OAuth token you grant and forget. Every vendor relationship that continues long after the original business need has expired. Every connection that seemed convenient at the time but was never properly governed.

The interest on this debt compounds. Each additional integration makes every other integration more dangerous, because the trust graph becomes more complex and more opaque. And unlike financial debt, trust debt doesn’t appear on any balance sheet until it breaches.

VIII. What Organizations Must Do Now

This is not a patch job. It is an architectural reform. And it requires treating trust as what it actually is: critical infrastructure that must be deliberately manufactured and continuously maintained.

1. Inventory every OAuth integration. If you can’t see your trust graph, you can’t defend it. This means building actual tooling—not a spreadsheet, not a quarterly review—that shows, in real time, which apps have which permissions to which systems. You need a trust ledger.

2. Scope permissions ruthlessly. Most apps don’t need 10% of what you’ve granted them. Start from zero and add only what’s demonstrably necessary. This requires saying no to vendors who demand excessive permissions as a condition of integration. That’s a feature, not a bug.

3. Rotate tokens, don’t worship them. Long-lived tokens are cybersecurity landmines. Implement expiration policies. Force periodic re-authorization. Make token rotation a standard operational practice, not an emergency response.

4. Implement trust-friction monitoring. Measure drift. Track anomalies. Quantify the risk in real time. You need systems that can answer questions like: “Which OAuth tokens haven’t been used in 90 days?” and “Which integrations are accessing data patterns they’ve never accessed before?”

5. Treat SaaS as critical infrastructure. If your customer database can be hijacked through a chatbot integration, you’re already living in a critical-infrastructure environment. Act like it. This means applying the same rigor to SaaS integrations as you do to production database access.

6. Build trust operations into procurement. Don’t just evaluate vendors during the sales cycle. Establish continuous validation requirements. Require vendors to maintain SOC 2 compliance, demonstrate security posture, and participate in regular trust audits. Make it contractual.

7. Create revocation runbooks. When (not if) the subsequent vendor breach happens, you need to know precisely which tokens to revoke, which systems to isolate, and which users to notify. This can’t be improvised during an incident.

IX. The Era of Identity Extortion Has Arrived

The attackers have moved upstack. The breach surface now includes: trust, identity, authorization, supply chain, integration pathways, API relationships, and token inheritance.

This is where the real risk lives. In the soft tissue. In the spaces nobody governs. In the trust, people assume rather than engineer.

The Drift and Gainsight breaches aren’t anomalies. They’re indicators. They’re warnings. They’re the early failures of an architecture built on unexamined trust, and we’re only at the beginning.

A future where every SaaS integration is a potential multi-org extortion vector is not a hypothetical. It’s the world we are already living in.

The only way out is to treat trust like the core digital resource it is: measurable, governable, observable, and revocable. Trust must have friction, not to slow down business, but to create the resistance necessary for meaning and verification to emerge.

Because until we redesign the trust layer itself, the breaches will keep coming, predictably, mechanically, and with expanding blast radii. And each one will feel like déjà vu.

The canary is singing. The question is whether we’ll listen this time, or wait for the subsequent breach in the cycle to deliver the same warning we’ve already ignored twice.

Share