Your biggest platform risk isn’t your competition. It’s losing access to the ecosystems your customers depend on.
Let me share something that should terrify every B2B founder. Two well known unicorn vendors have lost their access to the Salesforce platform — and HubSpot, Zendesk and more — indefinitely.
Gainsight—one of the most successful customer success platforms ever built, acquired by Vista Equity for $1.1 billion—has been completely offline from Salesforce AppExchange for over a week now. Their apps were yanked. Every single OAuth token revoked. More than 200 Salesforce instances potentially compromised, including major enterprise customers like Atlassian, Verizon, and GitLab.
I think they’ll be back soon. They get it done.
But Drift which was subject to a similar hacker attack has been offline since August. Over three months. Gone from AppExchange “until further notice.” Salesloft did the right thing here in just putting Drift on pause. But it’s tough. I am sure many of the customers are long gone.
What Actually Happened
We’re still learning what happened, but it’s a combination of scary ransom-ware and financial motivated hackers and security lapses.
In August 2025, a sophisticated threat actor (tracked as UNC6395, believed to be a Chinese nation-state group) compromised Salesloft’s Drift chatbot integration. They stole OAuth tokens that Drift used to connect to customers’ Salesforce instances. Then they systematically queried and exported massive volumes of data from over 700 organizations over a 10-day period.
The victims? Cloudflare. PagerDuty. Palo Alto Networks. Proofpoint. Zscaler. Google Workspace customers. The list goes on.
What were they after? AWS access keys. Snowflake tokens. Passwords. Credentials they could use to launch follow-on attacks against even more valuable targets.
On August 20th, Salesforce and Salesloft revoked all Drift OAuth tokens and pulled Drift from AppExchange. In early September, Salesloft took Drift completely offline “temporarily” to rebuild security. As of today, it’s still not back.
Then in November, it happened again—this time with Gainsight. Same playbook. Salesforce detected suspicious activity, immediately revoked all OAuth tokens, and pulled every Gainsight app from AppExchange. HubSpot and Zendesk also disabled their Gainsight connectors as a precaution.
The ShinyHunters group has claimed responsibility and says the combined Salesloft and Gainsight campaigns hit nearly 1,000 organizations.
This Is Your New Reality
Here’s what most founders don’t understand: your integration with Salesforce, HubSpot, Zendesk, or Google isn’t just a feature. It’s your distribution. It’s your data layer. It’s your business.
And those platforms can—and will—cut you off instantly if you become a security liability.
No warning. No negotiation. No “let’s work through this together.”
One day you’re on AppExchange with hundreds of paying customers. The next day, every active session is terminated, every OAuth token is revoked, and you’re scrambling to explain to enterprise customers why your integration disappeared.
The Verizon 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled year-over-year, jumping from 15% to 30%. This isn’t a trend. It’s a fundamental shift in how attackers operate.
They’re not trying to breach your customers directly. They’re breaching you and using your trusted connections to get to your customers. Your OAuth tokens. Your API integrations. Your position in the supply chain.
Why This Is So Hard for Founders
Security is hard. It’s unglamorous. It doesn’t help you close deals or hit your ARR targets. It’s tempting to just get a cheap SOC-2 and call it a day.
When you’re at $2M ARR trying to get to $10M, the last thing you want to do is slow down product development to implement security controls. When you’re racing to close an enterprise deal, the security questionnaire feels like a checkbox exercise.
And honestly? For most of SaaS history, you could get away with treating security as an afterthought. The platforms didn’t have strong enforcement. The attacks weren’t this sophisticated. The risk felt theoretical.
That era is over.
The attackers targeting Drift and Gainsight weren’t script kiddies. They were methodical, patient, and technically sophisticated. They performed reconnaissance for months. They built custom tooling to discover vulnerable accounts. They exfiltrated data at scale while deleting query logs to cover their tracks.
And they specifically targeted SaaS supply chains because they understood that one compromised integration equals access to hundreds of enterprise environments.
What You Actually Need to Do
Let me be concrete about what security looks like when you’re building an integration-dependent SaaS business:
1. Treat OAuth tokens like production database credentials.
Most founders understand they need to protect their database. But OAuth tokens? They’re scattered across your codebase, stored in environment variables that haven’t been rotated in two years, sitting in AWS environments without proper access controls.
OAuth tokens don’t expire by default. They persist forever unless explicitly revoked. And they often have far broader permissions than they need because nobody bothered to implement least-privilege scoping.
Rotate them. Encrypt them. Monitor their usage for anomalies. Build systems to detect when they’re being used from unexpected IPs or user agents.
2. Assume your integrations are attack surfaces, not just features.
Every third-party connection expands your attack surface. Every API integration is a potential entry point. Every OAuth flow creates persistent access that could be abused.
Audit your integrations quarterly. Remove unused ones. Restrict scopes to the minimum necessary. Implement IP allowlists where platforms support them. Monitor for unusual API patterns.
The Drift attackers specifically targeted organizations that hadn’t enforced multi-factor authentication on their integrations. Basic security hygiene blocked the attack at some companies (Okta blocked it because the connection came from an unauthorized IP). Others got breached.
3. Invest in logging and monitoring before you need it.
When Cloudflare was hit in the Drift breach, they were able to reconstruct the entire attack timeline from their logs—even after the attackers deleted their query jobs. Their security team had invested in the infrastructure to detect and investigate incidents.
Most startups have no idea what their integrations are doing. No logs. No anomaly detection. No ability to answer the question “did this compromise affect us?”
You don’t want to be figuring this out during an incident.
4. Get SOC 2 Type II before customers demand it.
I know SOC 2 feels expensive and bureaucratic. But here’s the thing: the process of getting certified forces you to build the security controls you should have anyway.
Document access controls. Implement change management. Build incident response procedures. Create audit trails. These aren’t arbitrary compliance requirements—they’re the foundations of security operations.
And when a platform like Salesforce is deciding whether to restore your AppExchange listing after an incident, having third-party validated security controls matters.
5. Build security into your culture, not just your infrastructure.
The Drift breach didn’t happen because of a sophisticated zero-day exploit. It happened because attackers got access to credentials and there weren’t sufficient controls to detect or prevent their misuse.
Security is a human problem as much as a technical one. Train your team. Build security awareness. Make secure practices the default, not the exception. And I’m guessing some of this had to do with team turnover. Drift was acquired by PE which then merged it into Salesloft.
The Cost of Getting This Wrong
Let me do some back-of-napkin math on what losing platform access actually costs:
If you’re a $20M ARR company with 40% of your revenue coming from Salesforce-integrated customers, and you lose AppExchange access for three months, you’re looking at:
- ~$2M in delayed or lost renewals
- Massive churn risk from enterprise customers who can’t use your core functionality
- 6-12 months of sales cycle disruption
- Permanent brand damage in your category
Drift has been offline for three months. Gainsight’s core apps have been down for a week and counting. The direct financial impact is enormous.
But the harder cost is trust. Once you’ve been the company that compromised your customers’ Salesforce data, that reputation follows you forever. Every RFP will include questions about it. Every security review will dig into it. Every competitor will reference it.
You’re Not Too Small To Be a Target
Here’s what I really want founders to hear:
You are not too small to be a target. The Verizon report found that 88% of breaches at SMBs involved ransomware. Attackers love smaller companies because you have weaker defenses but still have valuable customer data and integration access.
Security isn’t optional because you’re in “growth mode.” Every enterprise customer you sign up increases your obligation to protect their data. That’s not a future problem—it’s a current liability.
Your platform partners will protect themselves first. Salesforce didn’t hesitate to nuke every Drift and Gainsight connection the moment they detected risk. They made the right call for their customers. Don’t expect them to protect your business interests over theirs.
The SaaS supply chain has become a primary attack vector. Nation-state actors and sophisticated cybercrime groups specifically target integration providers because they’re efficient paths to mass compromise.
If you’re building an integration-dependent SaaS business, security isn’t a cost center. It’s existential risk management.
Drift and Gainsight are (or in the case of Drift, were) category leaders backed by billions in capital. They have security teams, compliance certifications, and enterprise-grade infrastructure.
And they still got breached. They still lost platform access. They’re still offline.
If it can happen to them, it can happen to you.
The question isn’t whether you can afford to invest deeper in security. It’s whether you can afford not to.
Note: Drift was taken offline September 2, 2025. Gainsight apps were removed from Salesforce AppExchange on November 19, 2025. Both situations remain ongoing at time of publication.
