- One quiet integration (Gainsight) ended up unlocking access to Salesforce environments across 200+ companies, proof that the real risks today often sit in the “yes, approved it years ago” pile.
- Attackers didn’t need exploits. They simply walked in through inherited access, which is basically account takeover through the back door.
- This expands the supply-chain problem from the vendors you choose to every connector you forgot about.
- Expect budgets and platform deals to push harder toward identity governance, auditability, and observability of integrations.
What happened
Most organizations get hacked the same way people trip at home: not because of something dramatic, but because they overlook something small. I’ve done it myself. A few years ago, I set up an experimental Linux box – “secure by default,” or so I thought – used it for a bit, then unplugged it and moved on. Months later, I powered it back up for a totally different task… and it was compromised within days.
The Salesforce–Gainsight incident follows a similar path. An attacker didn’t go for Salesforce head-on. They went for a trusted integration that had been sitting there, quietly doing its job, and holding more access than anyone remembered. More than 200 customer environments were exposed because a connector still had the keys.
This wasn’t a sophisticated zero-day story. It wasn’t even clever. It was simply an access nobody revisited. And that’s what makes it so uncomfortable. The whole SaaS ecosystem runs on “connect once, trust indefinitely.” Teams install tools, approve the prompts, and then forget the integration even exists.
Why It Matters Now
Most SaaS app wants deep integration. That’s how they get sticky. And we… let them. Over time, a single company accumulates dozens of approved connectors pulling data, pushing updates, syncing records, and automating tasks. All valid. All convenient. All invisible.
The Salesforce–Gainsight episode exposed three problems we’ve been ignoring:
- First, permissions never get revisited. What made sense at onboarding becomes wildly over-privileged two years later.
- Second, ownership disappears. Who owns the integration? Who monitors it? Who rotates its access? Most companies don’t have an answer.
- Then, there’s the opaque behavior. Even mature platforms can’t tell the difference between “legitimate automation” and “abusive automation” when credentials are valid.
This is a structural blind spot baked into how SaaS works. And honestly, we’ve been lucky it hasn’t blown up more often.
Investor Implications
When a breach highlights a hole that everyone shares, spending moves quickly. Two investment arcs get reinforced here:
1. Identity becomes the enforcement layer for everything, not just people.
If integrations can act with the same authority as users, identity and governance platforms become the only rational place to enforce boundaries.
Expect growing interest in:
- integration lifecycle controls
- visibility into who granted what
- rotation/expiration of long-lived connections
- “connected-app reviews” packaged as a feature, not a professional service
This also explains why Palo Alto is buying its way into observability and identity. The gravity of the market is shifting.
2. Observability becomes a security feature.
The line between runtime telemetry and intrusion detection is fading.
Companies need to see:
- which integrations executed actions
- what data they touched
- and whether the pattern makes sense
Vendors positioned to unify these signals into a “what’s actually happening” plane will pull ahead.
Vendor Implications
Customers are going to start asking uncomfortable questions. Not “what does your product do?” But: “What exactly does your integration do, and how do I know when something is off?”
Vendors that can answer that clearly will earn trust. Vendors that can’t will end up on the wrong side of procurement checklists, especially in finance, healthcare, and the public sector.
There’s a spillover into consumer and SMB, too. As people rely more on cloud accounts for identity, documents, finances, and home devices, the same integration risks show up inside households. That’s something consumer platforms aren’t ready to talk about yet.
What to Watch Next
Expect this incident to start a slow but important change:
- Companies will introduce “integration reviews” the same way they run quarterly access reviews.
- Identity providers will move into integration governance because no one else can centrally enforce it.
- SaaS vendors will be pushed to shrink permission scopes and shorten token lifetimes.
- Regulators will start asking for evidence that third-party connections aren’t eternal and ownerless.
- Insurers will demand proof that “zombie integrations” aren’t still sitting with broad access.
I covered the new shadow IT in a previous Signals edition, and with every new SaaS tool and integration, the challenge grows. We worry about SaaS vendors, but most of the risk sits in the integrations that silently bind them together.
