For CISOs and security teams, Larsen emphasized the need for immediate action beyond just the Gainsight incident. “All organizations should view this as a signal to audit their SaaS environments,” he said, recommending that security teams regularly review all third-party applications connected to Salesforce instances, investigate and revoke tokens for unused or suspicious applications, and assume compromise if anomalous activity is detected.
The attacks prove effective because OAuth tokens operate beneath traditional authentication layers, according to Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “OAuth token compromise is one of the most dangerous attack vectors in the modern SaaS ecosystem because it abuses trust rather than breaking through defences,” Gogia said. “Once an attacker acquires a token, they gain the ability to impersonate a legitimate app or user at the API layer, where most enterprises have the least monitoring coverage.”
Most OAuth tokens are long-lived, often without expiration, and carry broader permissions than administrators realize, Gogia noted. “Because these tokens function as infrastructure rather than monitored user accounts, compromises enable silent, high-value data exfiltration over extended periods. The attacks don’t behave like typical intrusions but rather operate with inherited legitimacy, making them particularly difficult to detect.”
