Data Breach: ShinyHunters Allegedly Targets Over 200 Companies Through Salesforce Gainsight Vulnerability

A complex supply chain assault has allegedly breached data across numerous organizations, connecting the incident to a significant integration between the customer success platform Gainsight and the CRM powerhouse Salesforce.

The infamous hacking group ShinyHunters claims to be accountable for the breach, which reportedly impacts more than 200 firms. Rather than compromising Salesforce directly, the attack exploited the trusted link created through third-party applications.

On November 20, 2025, Salesforce took urgent measures to mitigate the danger. The firm officially terminated the link between Gainsight-published applications and the Salesforce network after noticing “suspicious activity.”

According to a comment from Salesforce, their probe indicates that the activity allowed unauthorized access to customer data, specifically through the app’s external link.

Utilizing Trusted OAuth Tokens

The dynamics of this operation underscore an increasing trend in contemporary cyber conflict: focusing on the “keys” instead of the “locks.”

The Google Threat Intelligence Group (GTIG), featuring researchers from Mandiant, recognized the threat actors as associates of ShinyHunters. These adversaries compromised third-party OAuth tokens.

Within the SaaS landscape, OAuth tokens operate like digital permission slips, enabling applications such as Gainsight to communicate with Salesforce without necessitating a user to log in repeatedly.

By acquiring these tokens, the attackers could potentially sidestep multi-factor authentication and regular login safeguards, posing as the trusted application to exfiltrate sensitive corporate data. This tactic enables threat actors to maneuver laterally in cloud environments while evading detection by traditional perimeter defenses.

While the extent of the data loss may be enormous, Salesforce has clearly articulated its position regarding the source of the fault. The company stressed that there is “no evidence that this issue stemmed from any vulnerability within the Salesforce platform.” Instead, the breach is solely connected to the external linkage and the management of credentials for the Gainsight integration.

At present, customers are unable to link their Gainsight-published applications to Salesforce until further notice. Both Salesforce and Mandiant are actively alerting organizations that exhibit signs of compromise.

This occurrence reflects similar campaigns observed recently, including efforts targeting Salesloft Drift, hinting at a coordinated initiative by threat groups to scrutinize and exploit SaaS ecosystems where third-party permissions are frequently granted and neglected.

Immediate Actions for SaaS Administrators

This incident acts as a crucial wake-up call for enterprises relying on interconnected SaaS systems. Security teams are encouraged to promptly treat this as an indicator to thoroughly audit their entire cloud framework.

The primary advice is to review all linked applications within Salesforce instances and revoke OAuth tokens for any integrations deemed unused, suspicious, or associated with the compromised Gainsight applications.

Organizations using Gainsight integrations should watch for official updates from both vendors, Salesforce and Gainsight.

However, a proactive stance is essential. If any irregular activity is detected from an integration, administrators should immediately change credentials and assume a possible compromise.

As threat actors increasingly shift toward identity-based attacks and token theft, managing third-party permissions has become as critical as applying patches to software vulnerabilities.

Below is the table of Indicators of Compromise (IoCs) linked to the ShinyHunters campaign targeting Salesforce and Gainsight integrations.