Salesforce (CRM) hit the brakes on several Gainsight applications Thursday after spotting unusual activity that could have opened a backdoor to customer data. The cloud software giant moved quickly to shut down access and brought in the big guns—cybersecurity firm Mandiant—to figure out what happened.

Tokens Revoked, Apps Pulled From Marketplace

Salesforce didn't mince words in its statement, saying it observed "unusual" behavior tied to Gainsight applications connected to its platform. The company warned customers that this activity may have enabled unauthorized parties to access certain data, though it emphasized the problem originated from the apps' external connections, not from any weakness in Salesforce's own infrastructure.

"Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues," the company stated.

Salesforce was careful to note that its review found no evidence of any vulnerability within the Salesforce platform itself—the issue stems from how third-party apps connect to it.

Gainsight Calls In Forensic Experts

For its part, Gainsight confirmed on its website that it's working closely with Salesforce and has engaged Mandiant to lead what it described as a "comprehensive, independent forensic investigation."

"Our current findings indicate that the activity under investigation originated from the applications' external connection — not from any issue or vulnerability within the Salesforce platform," Gainsight said, echoing Salesforce's assessment.

The Bigger Picture: Third-Party Apps Are the New Attack Vector

This incident isn't happening in a vacuum. Security experts have been sounding alarms about attacks targeting third-party tools that plug into major enterprise platforms. Similar cases have cropped up involving Oracle (ORCL) and other Salesforce customer environments.

Jaime Blasco, cofounder of Nudge Security, weighed in on LinkedIn, pointing out that this reflects a troubling trend. Instead of trying to breach heavily fortified core platforms, attackers are going after integrated tools that already have privileged access. It's the digital equivalent of breaking into a house through a poorly secured window instead of trying to kick down the reinforced front door.

The strategy makes sense from an attacker's perspective—third-party apps often have broad permissions and may not face the same security scrutiny as the platforms they connect to. As enterprise software becomes increasingly interconnected, these integration points represent growing risk surfaces that companies need to monitor closely.

For Salesforce customers using Gainsight applications, the immediate impact is clear: those integrations are now offline until the investigation wraps up and security teams can determine exactly what happened and whether any data was actually compromised.