ShinyHunters Claims Data Theft from 200+ Companies via Salesforce Gainsight Breach

A sophisticated supply chain attack has reportedly compromised data across hundreds of organizations, linking the breach to a critical integration between customer success platform Gainsight and CRM giant Salesforce.

The notorious hacking collective ShinyHunters is claiming responsibility for the intrusion, which allegedly affects over 200 companies. The attack vector did not rely on breaking into Salesforce directly but instead on exploiting the trusted connection established through third-party applications.

On November 20, 2025, Salesforce took emergency action to contain the threat. The company officially disabled the connection between Gainsight-published applications and the Salesforce ecosystem after detecting “unusual activity.”

According to a statement from Salesforce, their investigation suggests that the activity facilitated unauthorized access to customer data, specifically through the app’s external connection.

Exploiting Trusted OAuth Tokens

The mechanics of this campaign highlight a growing trend in modern cyber warfare: targeting the “keys” rather than the “locks.”

The Google Threat Intelligence Group (GTIG), including researchers from Mandiant, identified the threat actors as affiliates of ShinyHunters. These adversaries compromised third-party OAuth tokens.

In the SaaS environment, OAuth tokens function like digital permissions slips, allowing apps like Gainsight to talk to Salesforce without requiring a user to log in every time.

By stealing these tokens, the attackers could potentially bypass multi-factor authentication and standard login defenses, masquerading as the trusted application to exfiltrate sensitive corporate data. This method allows threat actors to move laterally within cloud environments while remaining undetected by traditional perimeter security.

While the scope of the data loss is potentially massive, Salesforce has been clear in its distinction regarding where the fault lies. The company emphasized that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform.” Instead, the breach is strictly related to the external connection and the management of credentials for the Gainsight integration.

Currently, customers are unable to connect their Gainsight-published applications to Salesforce until further notice. Both Salesforce and Mandiant are actively notifying organizations that show signs of compromise.

This incident mirrors similar campaigns observed recently, such as attacks targeting Salesloft Drift, suggesting a concerted effort by threat groups to audit and exploit SaaS ecosystems where third-party permissions are often granted and forgotten.

Urgent Actions for SaaS Administrators

This incident serves as a critical wake-up call for organizations relying on interconnected SaaS platforms. Security teams are urged to immediately treat this as a signal to audit their entire cloud environment.

The primary recommendation is to review all connected apps within Salesforce instances and revoke OAuth tokens for any integration that is unused, suspicious, or related to the affected Gainsight applications.

Organizations using Gainsight integrations should monitor for official communications from both vendors, Salesforce and Gainsight.

However, proactive defense is required. If any anomalous activity is detected from an integration, administrators should rotate credentials immediately and assume a potential compromise.

As threat actors increasingly pivot toward identity-based attacks and token theft, the maintenance of third-party permissions has become just as vital as patching software vulnerabilities.

Here is the table of Indicators of Compromise (IoCs) associated with the ShinyHunters campaign targeting Salesforce and Gainsight integrations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.