For B2B companies, the greatest platform risk isn't competition; it's the sudden loss of access to the very ecosystems their customers rely on. A recent series of events should send a shiver down the spine of every B2B founder: two well-known unicorn vendors, Gainsight and Drift, have indefinitely lost access to the Salesforce platform, with implications extending to HubSpot, Zendesk, and other critical integrations.

Gainsight, one of the most successful customer success platforms, acquired by Vista Equity for $1.1 billion, was completely removed from the Salesforce AppExchange in November 2025. Its applications were yanked, every OAuth token revoked, and over 200 Salesforce instances potentially compromised, including those of major enterprise customers like Atlassian, Verizon, and GitLab. While Gainsight's core apps have been offline for over a week and counting, the situation for Drift is even more severe.

Drift, a leading conversational AI platform, has been offline since August 2025 following a similar hacker attack. Removed from the AppExchange "until further notice," Drift has remained inaccessible for over three months. This prolonged outage has undoubtedly led to significant customer churn and operational disruption for many businesses that relied on its integration.

What Actually Happened

While full details are still emerging, the incidents appear to be a combination of sophisticated ransomware, financially motivated cyberattacks, and critical security lapses. In August 2025, a sophisticated threat actor, tracked as UNC6395 (believed to be a Chinese nation-state group), compromised Salesloft's Drift chatbot integration. They stole OAuth tokens that Drift used to connect to customers' Salesforce instances, then systematically queried and exported massive volumes of data from over 700 organizations over a 10-day period.

The list of victims included high-profile companies such as Cloudflare, PagerDuty, Palo Alto Networks, Proofpoint, Zscaler, and numerous Google Workspace customers. The attackers' objective was clear: to acquire AWS access keys, Snowflake tokens, passwords, and other credentials that could be used to launch follow-on attacks against even more valuable targets.

On August 20, 2025, Salesforce and Salesloft responded by revoking all Drift OAuth tokens and pulling Drift from the AppExchange. In early September, Salesloft took Drift entirely offline "temporarily" to rebuild its security infrastructure. As of the time of publication, it remains offline.

The same playbook was executed in November 2025, this time targeting Gainsight. Salesforce detected suspicious activity, immediately revoked all OAuth tokens, and removed every Gainsight app from the AppExchange. HubSpot and Zendesk also disabled their Gainsight connectors as a precautionary measure. The ShinyHunters group has claimed responsibility for these combined Salesloft and Gainsight campaigns, stating they impacted nearly 1,000 organizations.

This Is Your New Reality

Many founders often misunderstand the true nature of their integrations with platforms like Salesforce, HubSpot, Zendesk, or Google. These aren't merely features; they are your distribution channels, your data layers, and fundamentally, your business itself.

These powerful platforms possess the capability—and the willingness—to instantly cut you off if you become a security liability. There will be no warning, no negotiation, and no collaborative problem-solving. One day, your application is live on the AppExchange with hundreds of paying customers; the next, every active session is terminated, every OAuth token revoked, leaving you scrambling to explain to enterprise clients why your critical integration has vanished.

The Verizon 2025 Data Breach Investigations Report revealed a stark reality: third-party involvement in data breaches doubled year-over-year, climbing from 15% to 30%. This isn't a fleeting trend; it represents a fundamental shift in attacker methodology. Cybercriminals are no longer primarily attempting to breach your customers directly. Instead, they are breaching you and leveraging your trusted connections—your OAuth tokens, your API integrations, your position in the supply chain—to gain access to your customers' sensitive data.

Why This Is So Hard for Founders

Security is inherently challenging. It's often unglamorous, doesn't directly contribute to closing deals or hitting ARR targets, and can feel like a bureaucratic hurdle. The temptation to opt for a minimal SOC 2 certification and consider the job done is strong, especially for growing companies.

When a company is striving to scale from $2 million to $10 million in Annual Recurring Revenue (ARR), the last priority is often slowing down product development to implement stringent security controls. Similarly, when racing to close a crucial enterprise deal, the security questionnaire can feel like a mere checkbox exercise.

For much of SaaS history, treating security as an afterthought was often permissible. Platforms lacked robust enforcement mechanisms, attacks were less sophisticated, and the perceived risk felt largely theoretical. That era is definitively over.

The attackers behind the Drift and Gainsight breaches were not amateur "script kiddies." They were methodical, patient, and technically advanced. They conducted reconnaissance for months, developed custom tools to identify vulnerable accounts, and exfiltrated data at scale while meticulously deleting query logs to cover their tracks. Their specific targeting of SaaS supply chains underscores their understanding that one compromised integration can unlock access to hundreds of enterprise environments.

What You Actually Need to Do

For any SaaS business dependent on integrations, concrete security measures are no longer optional. Here's what's essential:

  1. Treat OAuth tokens like production database credentials. Many founders understand the need to protect their databases, but OAuth tokens are often scattered across codebases, stored in unrotated environment variables, or reside in AWS environments without proper access controls. OAuth tokens do not expire by default; they persist indefinitely unless explicitly revoked. Furthermore, they frequently possess overly broad permissions due to a lack of least-privilege scoping. Implement regular rotation, encryption, and anomaly monitoring for their usage, detecting access from unexpected IPs or user agents.
  2. Assume your integrations are attack surfaces, not just features. Every third-party connection expands your attack surface. Every API integration is a potential entry point, and every OAuth flow creates persistent access that could be exploited. Conduct quarterly audits of your integrations, removing unused ones and restricting scopes to the absolute minimum necessary. Implement IP allowlists where platforms support them and actively monitor for unusual API patterns. The Drift attackers specifically targeted organizations that had not enforced multi-factor authentication on their integrations; basic security hygiene, such as Okta blocking connections from unauthorized IPs, prevented attacks at some companies while others were breached.
  3. Invest in logging and monitoring before you need it. When Cloudflare was impacted by the Drift breach, their security team was able to reconstruct the entire attack timeline from their logs, even after attackers attempted to delete query jobs. This was possible because they had proactively invested in the infrastructure to detect and investigate incidents. Most startups lack visibility into their integrations' activities, with no logs, no anomaly detection, and no ability to determine if a compromise has affected them. Addressing this during an active incident is too late.
  4. Get SOC 2 Type II before customers demand it. While SOC 2 certification can seem expensive and bureaucratic, the process itself forces the implementation of essential security controls. Documenting access controls, implementing change management, building incident response procedures, and creating audit trails are not arbitrary compliance requirements; they are the foundational elements of robust security operations. When platforms like Salesforce are deciding whether to restore your AppExchange listing after an incident, having third-party validated security controls is paramount.
  5. Build security into your culture, not just your infrastructure. The Drift breach wasn't caused by a sophisticated zero-day exploit; it occurred because attackers gained access to credentials, and there were insufficient controls to detect or prevent their misuse. Security is as much a human problem as it is a technical one. Train your team, foster security awareness, and make secure practices the default, not the exception.

The Cost of Getting This Wrong

The financial and reputational costs of losing platform access are staggering. Consider a $20 million ARR company with 40% of its revenue derived from Salesforce-integrated customers. Losing AppExchange access for just three months could result in:

  • Approximately $2 million in delayed or lost renewals.
  • Massive churn risk from enterprise customers unable to utilize core functionality.
  • Six to twelve months of sales cycle disruption.
  • Permanent brand damage within your category.

Drift has been offline for over three months, and Gainsight's core apps were down for a week and counting. The direct financial impact on these companies is enormous. However, the more profound cost is the erosion of trust. Once a company is associated with compromising customer data on a major platform, that reputation endures. Every Request for Proposal (RFP) will include questions about it, every security review will scrutinize it, and every competitor will leverage it.

You're Not Too Small To Be a Target

Founders must internalize these critical truths:

  • You are not too small to be a target. The Verizon report indicated that 88% of breaches at SMBs involved ransomware. Attackers favor smaller companies because they often have weaker defenses but still possess valuable customer data and integration access.
  • Security isn't optional because you're in "growth mode." Every enterprise customer you onboard increases your obligation to protect their data. This isn't a future problem; it's a current and significant liability.
  • Your platform partners will protect themselves first. Salesforce did not hesitate to sever every Drift and Gainsight connection the moment risk was detected. They made the correct decision for their customers. Do not expect them to prioritize your business interests over their own security and reputation.

The SaaS supply chain has evolved into a primary attack vector. Nation-state actors and sophisticated cybercrime groups specifically target integration providers because they offer efficient pathways to mass compromise. If you are building an integration-dependent SaaS business, security is not merely a cost center; it is existential risk management.

Drift and Gainsight are (or in Drift's case, were) category leaders, backed by billions in capital. They possess dedicated security teams, compliance certifications, and enterprise-grade infrastructure. Yet, they were still breached. They still lost platform access. They are still offline.

If it can happen to them, it can happen to you. The question is no longer whether you can afford to invest deeper in security, but whether you can afford *not* to.