The **Salesforce data breach** involved the **ShinyHunters (UNC6240) hacking group**, which exploited stolen **OAuth tokens** from **Salesloft’s GitHub account** to infiltrate **Drift’s Salesforce integration** and subsequently compromise **Gainsight**, a customer process management platform. The attackers gained unauthorized access to **over 200 Salesforce instances**, exfiltrating enterprise customer data through third-party service integrations (including **HubSpot and Zendesk**). While Salesforce revoked access keys and removed affected apps from the **AppExchange**, the breach exposed sensitive customer data, though the full scope of the leak remains undisclosed. The attack leveraged **supply-chain vulnerabilities** rather than a direct Salesforce platform flaw. ShinyHunters claimed delayed detection (1–2 weeks post-intrusion) and sought internal accomplices for further exploitation. Salesforce refused ransom demands, but the incident highlights risks in **third-party integrations** and **credential-based attacks**.
Source: https://www.redhotcyber.com/en/post/salesforce-data-breach-shinyhunters-hack-gainsight-integration/
Gainsight cybersecurity rating report: https://www.rankiteo.com/company/gainsight
"id": "GAI1122911112425",
"linkid": "gainsight",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '200+ instances',
'industry': 'Technology',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'CRM Platform'},
{'industry': 'SaaS/Technology',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Gainsight',
'size': 'Enterprise',
'type': 'Customer Success Platform'},
{'industry': 'SaaS/Technology',
'location': 'Global (HQ: Atlanta, USA)',
'name': 'Salesloft',
'size': 'Enterprise',
'type': 'Sales Engagement Platform'},
{'industry': 'SaaS/Technology',
'location': 'Global (HQ: Boston, USA)',
'name': 'Drift',
'size': 'Enterprise',
'type': 'Conversational Marketing Platform'},
{'industry': 'SaaS/Technology',
'location': 'Global (HQ: Cambridge, USA)',
'name': 'HubSpot',
'size': 'Enterprise',
'type': 'CRM & Marketing Platform'},
{'industry': 'SaaS/Technology',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Zendesk',
'size': 'Enterprise',
'type': 'Customer Service Platform'}],
'attack_vector': ['Stolen OAuth Tokens',
'Third-Party Integration Exploitation (Drift, Gainsight)',
'GitHub Account Compromise'],
'customer_advisories': ['No Direct Communication Mentioned'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Likely (Enterprise '
'Customer Data)',
'sensitivity_of_data': 'High (Potential PII, '
'Business-Critical CRM Data)',
'type_of_data_compromised': ['Enterprise Customer Data',
'CRM Records',
'Integration Logs']},
'date_detected': '2025-11-24',
'date_publicly_disclosed': '2025-11-24',
'description': 'The ShinyHunters group announced its involvement in a data '
'breach affecting the Salesforce ecosystem, particularly '
'through the compromise of Gainsight and Salesloft '
'integrations. Attackers leveraged stolen OAuth tokens from '
'Salesloft’s GitHub account to access enterprise customer data '
'across multiple CRM-related services, including Gainsight, '
'HubSpot, and Zendesk. Over 200 Salesforce instances were '
'reportedly affected. Salesforce revoked access keys and '
'removed Gainsight apps from the AppExchange as a response. '
'The breach is linked to the UNC6240 (ShinyHunters) threat '
'group, which claims to have evaded detection for weeks and is '
'seeking internal accomplices.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Salesforce Ecosystem',
'Negative Publicity for Gainsight, '
'HubSpot, Zendesk'],
'data_compromised': True,
'downtime': ['Temporary Disruption of Gainsight Apps on Salesforce '
'AppExchange',
'Limited Functionality of HubSpot/Zendesk Connectors'],
'identity_theft_risk': ['High (Enterprise Customer Data Exposed)'],
'operational_impact': ['Revocation of Access Keys',
'Removal of Gainsight Apps from AppExchange',
'Internal Reviews by Affected Companies'],
'systems_affected': ['Salesforce Instances (200+)',
'Gainsight',
'Salesloft',
'Drift',
'HubSpot',
'Zendesk']},
'initial_access_broker': {'entry_point': ['Compromised Salesloft GitHub '
'Account',
'Stolen OAuth Tokens for Drift '
'Integration'],
'high_value_targets': ['Salesforce CRM Data',
'Gainsight Customer Process '
'Management Platform'],
'reconnaissance_period': 'Several Months '
'(Undetected for 1–2 Weeks '
'Post-Intrusion)'},
'investigation_status': 'Ongoing (Led by Google Mandiant)',
'lessons_learned': ['OAuth token security requires stricter rotation and '
'monitoring.',
'Third-party integrations introduce significant supply '
'chain risks.',
'Delayed detection (1–2 weeks) highlights gaps in anomaly '
'monitoring.',
'Collaboration with threat intelligence firms (e.g., '
'Mandiant) is critical for attribution.'],
'motivation': ['Data Theft', 'Extortion', 'Financial Gain', 'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Token Revocation and '
'Rotation Across Affected '
'Systems.',
'Removal of Vulnerable Apps '
'from AppExchange.',
'Engagement of Threat '
'Intelligence (Mandiant) '
'for Attribution.'],
'root_causes': ['Inadequate OAuth Token Security '
'in Third-Party Integrations '
'(Drift, Gainsight).',
'Lack of Real-Time Monitoring for '
'Anomalous Access Patterns.',
'Supply Chain Vulnerabilities via '
'GitHub Account Compromise.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement multi-layered authentication for third-party '
'OAuth tokens.',
'Conduct regular audits of integration partners’ security '
'postures.',
'Enhance real-time monitoring for unauthorized access '
'patterns.',
'Establish clear incident response protocols for supply '
'chain breaches.',
'Publicly disclose breaches transparently to maintain '
'customer trust.'],
'references': [{'date_accessed': '2025-11-24', 'source': 'Redazione RHC'}],
'response': {'communication_strategy': ['Public Disclosure via Media '
'(Redazione RHC)',
'No Direct Comment from Salesforce on '
'Specifics'],
'containment_measures': ['Revoked OAuth Tokens',
'Removed Gainsight Apps from '
'AppExchange',
'Limited HubSpot/Zendesk Connector '
'Functionality'],
'enhanced_monitoring': ['Google Threat Intelligence Group '
'Analysis'],
'incident_response_plan_activated': True,
'remediation_measures': ['Internal Reviews by Affected Companies',
'Token Rotation'],
'third_party_assistance': ['Google Mandiant (Threat '
'Intelligence)']},
'stakeholder_advisories': ['Salesforce Revoked Access Keys',
'Gainsight/HubSpot/Zendesk Limited Connector '
'Functionality'],
'threat_actor': ['ShinyHunters', 'UNC6240'],
'title': 'Salesforce Data Breach: ShinyHunters Hack via Gainsight Integration',
'type': ['Data Breach', 'Unauthorized Access', 'Supply Chain Attack'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Third-Party Application Misconfiguration']}