Salesforce-Gainsight Breach: ShinyHunters Strike Again with Third-Party Attack Affecting 200+ Companies

Executive Summary: Salesforce has disclosed yet another major security incident affecting customer data, this time involving compromised Gainsight applications. The breach, attributed to the notorious ShinyHunters cybercrime collective, has impacted over 200 Salesforce instances and represents the latest chapter in a devastating year of supply chain attacks that have exposed the systemic vulnerabilities of OAuth integrations and third-party connected apps.

The Latest Breach: What We Know

On November 19, 2025, Salesforce issued a security advisory after detecting unusual activity involving Gainsight-published applications connected to customer Salesforce environments. The attack follows a familiar playbook that has become the signature of ShinyHunters and its associated groups throughout 2025.

According to Salesforce's official statement, the company detected suspicious activity that may have enabled unauthorized access to certain customers' Salesforce data through Gainsight's external connection. Upon discovery, Salesforce immediately:

• Revoked all active access and refresh tokens associated with Gainsight-published applications
• Temporarily removed Gainsight apps from the Salesforce AppExchange marketplace
• Began notifying affected customers directly

Salesforce emphasized that "there is no indication that this issue resulted from any vulnerability in the Salesforce platform," instead pointing to the app's external connection as the attack vector.

CrowdStrike Confirms Insider Threat Linked to Scattered Lapsus$ Hunters Cybercrime Alliance

Breaking: Cybersecurity Giant Terminates Employee Who Allegedly Sold Screenshots to Notorious Hacking Collective Executive Summary In a stark reminder that insider threats remain one of the most challenging security vulnerabilities, CrowdStrike has confirmed it terminated an employee last month who allegedly shared internal system screenshots with the notorious Scattered Lapsus$

Breached CompanyBreached Company

Scale of the Attack

Google Threat Intelligence Group has confirmed awareness of more than 200 potentially affected Salesforce instances. Austin Larsen, principal analyst at GTIG, told multiple outlets that the activity is likely related to UNC6240, also known as ShinyHunters.

The threat actors claimed responsibility through DataBreaches.net, stating this represents their third or fourth large-scale campaign against Salesforce customers. They warned that if Salesforce doesn't negotiate, they will launch another dedicated leak site containing data from both the Salesloft and Gainsight campaigns, potentially affecting nearly 1,000 organizations.

Among the high-profile companies allegedly impacted are:

• Verizon
• GitLab
• F5
• SonicWall
• Atlassian
• CrowdStrike (which subsequently terminated a suspicious insider)
• DocuSign
• LinkedIn
• Thomson Reuters
• Malwarebytes

The Gainsight Connection: Another Supply Chain Weak Link

Gainsight, a customer success platform that integrates with Salesforce to help companies manage customer relationships, has been publishing updates on its incident page while working with Google's Mandiant incident response unit to investigate the breach.

In a twist of irony, Gainsight was previously identified as a victim of the August 2025 Salesloft Drift breach. This raises critical questions about whether the current incident represents a continuation of that compromise or a new attack vector exploiting credentials stolen in the earlier breach.

As of November 21, Gainsight has confirmed that:

• The incident originated from the applications' external connection, not from the Salesforce platform
• A forensic analysis is continuing as part of a comprehensive independent review
• Salesforce has temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure

The company also revealed that the Gainsight app has been "temporarily pulled" from the HubSpot Marketplace as a precautionary measure, though no suspicious activity related to HubSpot has been observed.

The ShinyHunters Connection: A Year of Relentless Attacks

This latest breach is part of a broader campaign by the cybercrime collective known as Scattered Lapsus$ Hunters, which represents a merger of three notorious groups: ShinyHunters, Scattered Spider, and remnants of the Lapsus$ gang.

As detailed in our comprehensive analysis of ShinyHunters' evolution, the group has transformed from opportunistic data thieves into sophisticated operators conducting coordinated supply chain attacks against enterprise cloud platforms.

The Salesloft Drift Precedent

The current Gainsight breach bears striking similarities to the August 2025 Salesloft Drift attack, which affected over 700 organizations. In that incident, detailed in our article on Palo Alto Networks and Zscaler being hit by the supply chain attack, attackers:

1. Compromised Salesloft's GitHub repository
2. Extracted OAuth tokens for customer Salesforce integrations
3. Used those tokens to access connected Salesforce instances
4. Exfiltrated sensitive data including AWS access keys, Snowflake tokens, and customer information

The threat actors claimed to have stolen approximately 1.5 billion Salesforce records from 760 companies in that campaign alone, including major cybersecurity vendors who should theoretically be the most difficult targets to compromise.

Previous High-Profile Victims

The ShinyHunters-led campaign has claimed an extraordinary list of victims throughout 2025:

Technology Giants:

• Google's Gmail data breach affecting 2.5 billion users
• Palo Alto Networks
• Cloudflare
• Zscaler
• Cisco

Insurance Sector:

• Farmers Insurance (1.1 million customers)
• Allianz Life

Aviation Industry:

• Qantas (5 million customer records)
• Air France-KLM
• Vietnam Airlines

Retail and Luxury Brands:

• Disney/Hulu
• Home Depot
• McDonald's
• IKEA
• Gap
• Cartier, Dior, Louis Vuitton (LVMH subsidiaries)

The Attack Methodology: OAuth Abuse and Social Engineering

The attacks targeting Salesforce customers share a common methodology that exploits the trust relationship between platforms and third-party integrations:

Step 1: Third-Party Compromise

Attackers breach the infrastructure of companies that offer Salesforce integrations, typically through:

• Compromised GitHub repositories containing OAuth tokens
• Stolen credentials from previous breaches
• Social engineering of vendor employees

Step 2: Token Extraction

Once inside the third-party vendor's systems, attackers extract OAuth and refresh tokens that grant API-level access to customer Salesforce environments.

Step 3: Legitimate Access

Using stolen tokens, attackers can authenticate to Salesforce instances as if they were the legitimate third-party application, bypassing traditional security controls including multi-factor authentication.

Step 4: Data Exfiltration

With API access established, threat actors systematically query Salesforce databases, extracting:

• Customer contact information
• Support case data
• Business opportunity records
• Credentials for other cloud services (AWS, Snowflake, Azure)
• API tokens and access keys

Step 5: Secondary Credential Harvesting

The stolen Salesforce data often contains credentials for other systems, enabling lateral movement and additional compromises.

Industry Impact and Response

The cybersecurity community has responded with alarm to the persistent pattern of OAuth-based supply chain attacks. As documented in our analysis of security giants falling to Drift's supply chain attack, even companies whose entire business model is predicated on security expertise have proven vulnerable.

Salesforce's Position

Salesforce has maintained throughout these incidents that its core platform has not been compromised. The company has stated it will not negotiate with or pay any extortion demands. In a statement to customers:

"Salesforce will not engage, negotiate with, or pay any extortion demand. Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities."

However, the company faces mounting pressure from customers and potential legal liability. By September 2025, Salesforce was facing 14 lawsuits related to the data theft campaigns, with more likely to follow from the Gainsight incident.

The Trust Crisis

The repeated breaches have created what some analysts call a "trust crisis" for Salesforce and the broader SaaS ecosystem. Organizations that rely on Salesforce must now contend with:

1. Vendor Risk Management Challenges: How to properly assess and monitor the security posture of third-party apps
2. OAuth Governance: Understanding and controlling what permissions connected apps actually have
3. Incident Response Complexity: Determining scope of compromise when the attack vector is external
4. Legal and Regulatory Exposure: Potential GDPR, CCPA, and other privacy regulation violations

The Broader Supply Chain Security Crisis

The Gainsight breach is symptomatic of a larger crisis in supply chain security that has defined cybersecurity in 2025. As outlined in our August 2025 breach roundup, the pattern of third-party integration abuse has become the attack vector of choice for sophisticated threat actors.

Vendor Risk Management Tool | Third-Party Risk Assessment

Comprehensive vendor risk assessment tool for CISOs and security teams. Evaluate third-party vendors across 23 security dimensions with weighted scoring and auto-recommendations.

CISO MarketplaceCISO Marketplace

Why OAuth Integration Attacks Work

OAuth integrations create persistent access that:

• Bypasses traditional authentication: No need to steal passwords or MFA tokens once the app is authorized
• Provides broad permissions: Many connected apps request and receive excessive access to data
• Lacks visibility: Security teams often don't monitor OAuth app activity as closely as user authentication
• Survives password resets: Token-based access continues even if user credentials change
• Appears legitimate: Traffic from authorized apps doesn't trigger security alerts

The SaaS Security Blind Spot

Organizations have invested heavily in securing user access to cloud platforms but often lack equivalent controls for application access. This creates a dangerous asymmetry where:

• User logins face MFA, conditional access policies, and behavior analytics
• Application access using OAuth tokens faces minimal scrutiny
• Security teams lack visibility into what data apps can access
• Token lifecycle management is often manual and inconsistent

Mitigation Strategies and Best Practices

In response to the escalating threat, security experts recommend organizations implement comprehensive OAuth governance:

Immediate Actions

1. Audit Connected Apps
   • Identify all third-party applications with access to Salesforce and other critical SaaS platforms
   • Review the permissions granted to each application
   • Remove or restrict apps that aren't actively needed
2. Implement Token Monitoring
   • Deploy tools to track OAuth token usage and API calls
   • Set up alerts for unusual data access patterns
   • Establish baselines for normal application behavior
3. Review Vendor Security
   • Assess the security posture of third-party integration providers
   • Require vendors to disclose security incidents within contractual timeframes
   • Consider security ratings as part of vendor selection
4. Enable Enhanced Logging
   • Ensure comprehensive logging of all API calls and data access
   • Retain logs for sufficient periods to support incident investigation
   • Integrate SaaS logs into SIEM systems

Strategic Improvements

1. Zero Trust for Applications
   • Apply zero-trust principles to application access, not just user access
   • Implement least-privilege access for all connected apps
   • Require regular revalidation of app permissions
2. Security by Design
   • Evaluate OAuth security during procurement and implementation
   • Prefer vendors with strong OAuth implementation security
   • Implement defense-in-depth controls
3. Incident Response Planning
   • Develop specific playbooks for OAuth-based supply chain attacks
   • Practice incident response scenarios involving third-party compromises
   • Establish communication protocols with affected vendors
4. Employee Training
   • Educate help desk staff on social engineering tactics, particularly voice phishing
   • Train employees not to approve app connection requests without proper verification
   • Implement robust identity verification for access requests

Insider Threat Matrix - Comprehensive Cybersecurity Framework

Interactive insider threat detection and prevention framework. Assess, monitor, and mitigate insider security risks with our comprehensive cybersecurity tool.

Insider Threat MatrixCISO Marketplace

Regulatory and Compliance Implications

The cascade of Salesforce-related breaches has significant regulatory implications. Organizations must consider:

Data Breach Notification Requirements

Most affected companies will need to provide breach notifications under:

• GDPR (for EU residents' data)
• CCPA and state breach notification laws (for California and other U.S. states)
• Industry-specific regulations (HIPAA for healthcare, GLBA for financial services)

Compliance Framework Guidance

As discussed in our ComplianceHub.wiki coverage of supply chain security, organizations should ensure vendors notify them of security incidents within risk-informed timeframes and integrate cybersecurity requirements into procurement processes.

Law Enforcement Response

Federal and international law enforcement agencies have actively pursued the Scattered Lapsus$ Hunters coalition. The FBI seized BreachForums domains in October 2025, disrupting the group's primary extortion platform. However, as detailed in our FBI BreachForums seizure analysis, the decentralized nature of modern cybercrime collectives makes complete disruption extremely difficult.

The threat actors continue operations through:

• Telegram channels
• Dark web leak sites
• Alternative forums and platforms
• Direct extortion of victims

Looking Ahead: The Future of SaaS Security

The Gainsight breach, following closely on the heels of the Salesloft Drift incident, signals that OAuth integration abuse has become a mature and repeatable attack pattern. Organizations can expect:

Short-Term Outlook

• Continued targeting of Salesforce and other major SaaS platforms
• Additional third-party integration compromises
• Increased extortion demands as threat actors refine their business model
• More data leak sites and public shaming campaigns

Long-Term Trends

• Platform vendors implementing stricter OAuth controls
• Emergence of specialized security tools for OAuth governance
• Regulatory pressure for better supply chain security standards
• Industry consolidation as smaller integration providers prove unable to maintain adequate security

Conclusion

The Salesforce-Gainsight breach represents not just another data compromise, but a critical inflection point in cloud security. As detailed across our comprehensive coverage, the systematic exploitation of trusted third-party integrations has exposed fundamental weaknesses in how organizations secure their SaaS environments.

For security leaders, the message is clear: OAuth integrations are no longer a convenience feature to be managed by IT—they're a critical attack surface requiring dedicated security controls, monitoring, and governance. Organizations that fail to treat connected apps as high-risk access points will continue to fall victim to these increasingly sophisticated supply chain attacks.

The ShinyHunters collective has demonstrated remarkable persistence and evolution throughout 2025. Their ability to repeatedly compromise different third-party vendors and leverage those breaches into widespread customer data theft suggests this threat will persist into 2026 and beyond.

As Salesforce customers and the broader enterprise community grapple with this latest incident, the focus must shift from reactive breach response to proactive OAuth security. The question is no longer whether your organization will be targeted through a third-party integration, but whether you'll detect and stop the attack when it comes.

Additional Resources

For more information on related breaches and security best practices:

• ShinyHunters: The Evolution of a Cybercrime Empire
• Major Supply Chain Attack: Palo Alto Networks and Zscaler Hit by Salesloft Drift Breach
• The Gmail Security Crisis: 2.5 Billion Users at Risk
• Qantas Data Breach: 5 Million Customer Records Leaked
• FBI Strikes Major Blow Against Global Cybercrime: BreachForums Seizure

About CISO Marketplace: For vCISO services, incident response assessments, and comprehensive security evaluations, visit breached.company or contact us for expert guidance on protecting your organization from supply chain attacks.

Last Updated: November 21, 2025 Sources: Salesforce Security Advisory, TechCrunch, CyberScoop, Google Threat Intelligence Group, DataBreaches.net