New Campaign Targeting Salesforce Customer Data via Gainsight-published apps

Between November 19-21, 2025, unauthorized activity was detected involving Gainsight-published applications integrated with Salesforce. This activity was part of a broader campaign attributed to the ShinyHunters threat group and resulted in the potential exposure of sensitive customer data from Salesforce CRM environments via the Gainsight Connected App. Salesforce and Gainsight, along with Mandiant, initiated a joint forensic investigation and response.

Severity: High

Incident Details

• Initial Discovery: November 19, 2025 – Salesforce detected unusual API calls from non-whitelisted IPs via the Gainsight Connected App.
• Root Cause: OAuth tokens used by the Gainsight connector were abused by attackers to initiate unauthorized API access from unapproved IPs.
• Access Method: Threat actors utilized the compromise of third-party OAuth tokens. This enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.
• Salesforce’s Actions:
  • Immediately upon detection, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications.
  • The affected Gainsight applications were temporarily removed from the AppExchange.
  • Salesforce is notifying known affected customers directly.
• Gainsight’s Actions:
  • Gainsight confirmed that Salesforce revoked the active access for the Gainsight SFDC Connector.
  • Gainsight engaged Mandiant to assist in a comprehensive, independent forensic investigation.

Attribution & Link To Prior Attacks

• Threat Actor: The malicious activity is attributed to threat actors tied to the ShinyHunters group (also tracked as UNC6240).
• Echoing Previous Compromise: This campaign is very similar to the Salesloft Drift supply chain compromise that occurred earlier in 2025.
• Attack Chain: Threat actors claimed they gained access to the Gainsight environment via secrets stolen in the earlier Salesloft Drift breach. Gainsight was confirmed to be a victim of the prior Salesloft Drift attack.

Scope And Impact

• ShinyHunters claimed that the Salesloft and Gainsight campaigns allowed them to steal data from nearly 1,000 organizations in total.
• Threat actor claims impacted entities include large companies such as Verizon, Gitlab, F5, Sonicwall, and others.
• Threat actors threatened a dedicated leak site if Salesforce/Gainsight did not comply. Claimed data includes Fortune 500 customer data, primarily email marketing, CRM records, and integrations.

Recommendations

1. Regularly review all third-party applications connected to the Salesforce instance and remove any that are unused, outdated, or from unknown vendors.
2. Review and revoke OAuth tokens for unused or suspicious applications.
3. Rotate credentials immediately if anomalous activity is detected from an integration.
4. Enforce IP whitelisting for third-party app API access.
5. Use OAuth scopes and granular permissions to limit app capabilities.

Source:

• https://status.salesforce.com/generalmessages/20000233
• https://status.gainsight.com/incidents/gvng0kly8vwf
• https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-faq-november-20th-afternoon-update-29801
• https://databreaches.net/2025/11/20/threat-actors-have-reportedly-launched-yet-another-campaign-involving-an-application-connected-to-salesforce/
• https://www.helpnetsecurity.com/2025/11/20/salesforce-investigates-new-incident-echoing-salesloft-drift-compromise/
• https://www.linkedin.com/posts/austin-larsen_trust-status-activity-7397331617578610690-8FmH/
• https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-app-incident-29798

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.