Salesforce disclosed a major security breach in November 2025, where threat actors linked to the ShinyHunters group exploited compromised OAuth tokens in Gainsight-published applications to gain unauthorized access to customer data. The attack, detected mid-November, exposed sensitive information from over 200 organizations using Gainsight’s Salesforce-integrated platform. Attackers conducted reconnaissance as early as October 23, 2025, and executed intensive unauthorized access between November 16–19, 2025, using VPNs (Mullvad, Surfshark, Proton, Tor), proxy services (IProxyShop, ProxySeller, NSocks), and custom user agents (e.g., *Salesforce-Multi-Org-Fetcher/1.0*) to evade detection.Salesforce disabled all Gainsight integrations, revoked affected tokens, and removed compromised apps from AppExchange. The breach did not originate from a Salesforce vulnerability but from third-party OAuth token misuse. Security firms Google Threat Intelligence Group and Mandiant assisted in tracking the attackers, who demonstrated high operational security by rotating VPNs and proxies. The incident mirrors recent attacks on Salesloft-Drift integrations, highlighting a trend of exploiting trusted SaaS integrations. Affected organizations were advised to audit connected apps, revoke suspicious tokens, and implement continuous monitoring.
Source: https://gbhackers.com/hackers-use-salesforce-gainsight-breach/
Troops (Acquired by Salesforce - July 2022) cybersecurity rating report: https://www.rankiteo.com/company/troops
"id": "TRO1793417112225",
"linkid": "troops",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '200+ organizations using '
'Gainsight integration',
'industry': 'Technology (SaaS)',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Cloud CRM Platform'},
{'customers_affected': '200+ (via Salesforce '
'integration)',
'industry': 'Technology (SaaS)',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Gainsight',
'size': 'Enterprise',
'type': 'Customer Success Platform'},
{'industry': 'Various (users of Gainsight + Salesforce '
'integration)',
'location': 'Global',
'name': '200+ Organizations',
'type': ['B2B Companies', 'Enterprises']}],
'attack_vector': ['Compromised OAuth Tokens',
'Third-Party Application (Gainsight)',
'VPN/Proxy Evasion (Mullvad, Surfshark, Proton, Tor, etc.)'],
'customer_advisories': ['Recommended actions: token audits, integration '
'reviews, monitoring for IOCs'],
'data_breach': {'data_exfiltration': "Likely (based on ShinyHunters' modus "
'operandi)',
'personally_identifiable_information': 'Potential (not '
'explicitly confirmed)',
'sensitivity_of_data': 'High (business-critical customer '
'success data)',
'type_of_data_compromised': ['Customer data',
'Potentially PII (depending on '
'Gainsight integration scope)']},
'date_detected': '2025-11-20',
'date_publicly_disclosed': '2025-11-20',
'description': 'Salesforce disclosed a security incident involving '
'unauthorized access to customer data through compromised '
'Gainsight-published applications. The breach, detected in '
'mid-November 2025, exposed sensitive information from over '
'200 organizations using the Gainsight customer success '
'platform integrated with Salesforce. Threat actors linked to '
'the ShinyHunters group exploited OAuth tokens to gain '
'unauthorized access via third-party application connections. '
'Salesforce disabled the Gainsight integration on November 20, '
'2025, after detecting unusual activity. The investigation '
'revealed reconnaissance activities beginning on October 23, '
'2025, with intensive unauthorized access attempts occurring '
'between November 16 and November 19, 2025.',
'impact': {'brand_reputation_impact': ['Potential loss of trust in '
'Salesforce/Gainsight security',
"Associated risk due to ShinyHunters' "
'high-profile breach history'],
'data_compromised': 'Sensitive customer data from over 200 '
'organizations',
'downtime': 'Gainsight-published applications disabled until '
'further notice; customers unable to reconnect',
'identity_theft_risk': 'High (sensitive customer data exposed)',
'operational_impact': 'Disruption of customer success platform '
'integrations; revocation of affected OAuth '
'tokens; removal of compromised applications '
'from AppExchange',
'systems_affected': ['Salesforce customer instances accessed via '
'Gainsight integration',
'Gainsight-published applications on '
'Salesforce AppExchange']},
'initial_access_broker': {'data_sold_on_dark_web': 'High probability (based '
'on threat actor profile)',
'entry_point': 'Compromised OAuth tokens in '
'Gainsight-published applications',
'high_value_targets': ['Salesforce customer '
'instances with Gainsight '
'integration',
'Data likely sold on dark '
"web (ShinyHunters' typical "
'behavior)'],
'reconnaissance_period': '2025-10-23 to 2025-11-15 '
'(pre-exploitation)'},
'investigation_status': 'Ongoing (collaboration with Mandiant and Google)',
'lessons_learned': ['Third-party SaaS integrations introduce significant risk '
'even for secure platforms like Salesforce.',
'OAuth token management requires rigorous auditing and '
'least-privilege enforcement.',
'Threat actors increasingly exploit trusted vendor '
'relationships (e.g., Gainsight, Salesloft) for lateral '
'movement.',
'VPN/proxy evasion tactics (e.g., Mullvad, Tor) '
'complicate attribution and detection.'],
'motivation': ['Data Theft',
'Espionage',
'Potential Financial Gain (Dark Web Data Sales)'],
'post_incident_analysis': {'corrective_actions': ['Stricter vetting of '
'AppExchange third-party '
'applications',
'Enhanced OAuth token '
'lifecycle management '
'(rotation, revocation)',
'Deployment of AI-driven '
'anomaly detection for API '
'traffic',
'Expanded threat '
'intelligence sharing with '
'partners (e.g., Google, '
'Mandiant)'],
'root_causes': ['Insufficient oversight of '
'third-party OAuth token security '
'(Gainsight)',
'Lack of behavioral detection for '
'anomalous API calls (e.g., '
'unexpected user agents)',
'Delayed detection of '
'reconnaissance activity (October '
'23–November 15)']},
'recommendations': ['Audit all connected third-party applications and OAuth '
'token permissions.',
'Revoke tokens for unused or suspicious integrations.',
'Implement continuous monitoring for anomalous activity '
'(e.g., unexpected user agents, VPN/proxy traffic).',
'Enhance logging for third-party API calls and token '
'usage.',
'Adopt zero-trust principles for SaaS integrations, '
'including multi-factor authentication for OAuth flows.',
'Monitor dark web for signs of exposed data linked to '
'compromised integrations.'],
'references': [{'date_accessed': '2025-11-20',
'source': 'Salesforce Security Advisory'},
{'date_accessed': '2025-11-20',
'source': 'Google Threat Intelligence Group & Mandiant '
'Analysis'},
{'date_accessed': '2025-11-20',
'source': 'GBHackers (GBH) Cybersecurity News'}],
'regulatory_compliance': {'regulatory_notifications': ['Pending (likely GDPR, '
'CCPA, or '
'sector-specific '
'notifications for '
'affected '
'organizations)']},
'response': {'communication_strategy': ['Direct notifications to affected '
'organizations',
'Public disclosure via security '
'advisories',
'Updates on Google News, LinkedIn, '
'and X (Twitter)'],
'containment_measures': ['Disabled all Gainsight-published '
'application connections (2025-11-20)',
'Revoked affected OAuth tokens',
'Removed compromised applications from '
'Salesforce AppExchange'],
'enhanced_monitoring': ['Continuous monitoring for anomalous '
'OAuth token usage',
'Traffic analysis for VPN/proxy evasion '
'patterns'],
'incident_response_plan_activated': True,
'recovery_measures': ['Restoration of Gainsight integrations '
'pending security validation'],
'remediation_measures': ['Ongoing investigation with '
'Mandiant/Google',
'Token audits and revocations for '
'customers',
'Monitoring for anomalous activity'],
'third_party_assistance': ['Google Threat Intelligence Group',
'Mandiant']},
'stakeholder_advisories': ['Direct notifications to affected customers; '
'public updates via Salesforce Trust site'],
'threat_actor': 'ShinyHunters',
'title': 'Unauthorized Access to Salesforce Customer Data via Compromised '
'Gainsight Applications',
'type': ['Data Breach', 'Unauthorized Access', 'Third-Party Compromise'],
'vulnerability_exploited': 'Compromised OAuth tokens in Gainsight-published '
'applications (no vulnerability in Salesforce '
'platform itself)'}