Salesforce has disclosed a significant security incident involving unauthorized access to customer data through compromised Gainsight-published applications.
The breach, detected in mid-November 2025, potentially exposed sensitive information from over 200 organizations that use the customer success platform integrated with Salesforce.
Threat actors linked to the notorious ShinyHunters group exploited OAuth tokens to gain unauthorized access to Salesforce customer instances via third-party application connections.
Salesforce Disables Gainsight Integration After Detecting Unusual Activity
On November 20, 2025, Salesforce took immediate action by disabling all connections between Gainsight-published applications and the Salesforce platform.
The company’s security team identified suspicious activity that enabled unauthorized access to specific customers’ Salesforce data through the app’s external connection.
Salesforce emphasized that the issue did not stem from any vulnerability in the Salesforce platform, but rather from compromised OAuth tokens used by the third-party integration.
The investigation revealed that attackers began reconnaissance activities as early as October 23, 2025, and that intensive unauthorized access attempts occurred between November 16 and November 19, 2025.
Customers will be unable to reconnect their Gainsight-published applications until Salesforce determines it is safe to restore service.
The company has already taken steps to revoke affected tokens and remove compromised applications from the AppExchange marketplace.
Security researchers from Google Threat Intelligence Group and Mandiant have been working alongside Salesforce to track the threat actors behind this campaign.
The attackers employed sophisticated techniques to conceal their activities, routing traffic through multiple VPN services, including Mullvad, Surfshark, Proton, and Tor networks.
Salesforce identified 15 distinct IP addresses associated with unauthorized access attempts, along with unusual user agent strings such as “python-requests/2.28.1” and “Salesforce-Multi-Org-Fetcher/1.0” that are not used by legitimate Gainsight applications.
The attackers utilized various proxy services, including IProxyShop, ProxySeller, and NSocks, to mask their origin and evade detection.
One of the earliest indicators appeared on October 23, 2025, via an AWS IP address conducting reconnaissance against customers with compromised Gainsight access tokens.
The threat actors demonstrated operational security awareness by rotating between different VPN providers and proxy services throughout their campaign.
This incident mirrors a similar attack pattern recently observed targeting Salesloft Drift integrations, suggesting adversaries are increasingly exploiting trusted third-party SaaS integrations.
The ShinyHunters connection adds concern, as this threat group has been involved in numerous high-profile data breaches targeting major technology companies.
Salesforce and Google recommend that all organizations using cloud-based SaaS platforms immediately audit their connected applications and review OAuth token permissions.
Companies should investigate and revoke tokens for unused or suspicious integrations, and implement continuous monitoring to detect anomalous activity.
Indicators of Compromise
| IOC Type | Value | First Seen | Last Seen | Activity |
|---|---|---|---|---|
| IP Address | 104.3.11.1 | 2025-11-08 | 2025-11-08 | AT&T IP reconnaissance |
| IP Address | 198.54.135.148 | 2025-11-16 | 2025-11-16 | Mullvad VPN proxy |
| IP Address | 198.54.135.197 | 2025-11-16 | 2025-11-16 | Mullvad VPN proxy |
| IP Address | 198.54.135.205 | 2025-11-18 | 2025-11-18 | Mullvad VPN proxy |
| IP Address | 146.70.171.216 | 2025-11-18 | 2025-11-18 | Mullvad VPN proxy |
| IP Address | 169.150.203.245 | 2025-11-18 | 2025-11-18 | Surfshark VPN proxy |
| IP Address | 172.113.237.48 | 2025-11-18 | 2025-11-18 | NSocks VPN proxy |
| IP Address | 45.149.173.227 | 2025-11-18 | 2025-11-18 | Surfshark VPN proxy |
| IP Address | 135.134.96.76 | 2025-11-19 | 2025-11-19 | IProxyShop VPN proxy |
| IP Address | 65.195.111.21 | 2025-11-19 | 2025-11-19 | IProxyShop VPN proxy |
| IP Address | 65.195.105.81 | 2025-11-19 | 2025-11-19 | Nexx VPN proxy |
| IP Address | 65.195.105.153 | 2025-11-19 | 2025-11-19 | ProxySeller VPN proxy |
| IP Address | 45.66.35.35 | 2025-11-19 | 2025-11-19 | Tor VPN proxy |
| IP Address | 146.70.174.69 | 2025-11-19 | 2025-11-19 | Proton VPN proxy |
| IP Address | 82.163.174.83 | 2025-11-19 | 2025-11-19 | ProxySeller VPN proxy |
| IP Address | 3.239.45.43 | 2025-10-23 | 2025-10-23 | AWS IP reconnaissance |
| User Agent | python-requests/2.28.1 | 2025-11-08 | 2025-11-08 | Unexpected user agent |
| User Agent | python-requests/2.32.3 | 2025-11-16 | 2025-11-16 | Unexpected user agent |
| User Agent | python/3.11 aiohttp/3.13.1 | 2025-10-23 | 2025-10-23 | Unexpected user agent |
| User Agent | Salesforce-Multi-Org-Fetcher/1.0 | 2025-11-18 | 2025-11-19 | Threat actor tool |
Organizations potentially affected should expect direct notification from Salesforce and Mandiant and monitor official security advisories for ongoing updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.
