Fast Facts
- The ShinyHunters group launched a new campaign exploiting Gainsight integrations to access Salesforce customer data, compromising at least three organizations.
- Salesforce responded by revoking all active Gainsight app access, removing the apps temporarily, and investigating the unusual activity.
- Gainsight indicated that compromised OAuth tokens were scoped to individual customers and recommended credential rotation; the connector will be re-enabled after thorough vetting.
- Experts note that third-party OAuth tokens are increasingly targeted by hackers, with this campaign involving theft of tokens from Drift’s AWS after a GitHub breach of Salesloft.
The Issue
The ShinyHunters hacking group recently launched a sophisticated attack targeting Salesforce customers by exploiting vulnerabilities in Gainsight integrations, which are tools used by companies to manage customer data. This malicious campaign involved compromising third-party OAuth tokens—digital keys that grant access to cloud-based services—allowing attackers to infiltrate and extract sensitive information from affected Salesforce instances. In response, Salesforce rapidly revoked all active access tokens linked to Gainsight applications and removed these apps from its platform to investigate the breach, which initially left many customers uncertain about the scope of the damage. Gainsight later confirmed that three organizations had been compromised, prompting their joint investigation with Salesforce and a forensics firm, with plans to reset affected connections securely before service restoration. The attack appears to be part of a broader trend where cybercriminals target OAuth tokens of trusted SaaS integrations, as highlighted by security experts from Google Threat Intelligence, who attributed the campaign to ShinyHunters—an infamous hacking collective responsible for damaging data breaches across various organizations, including Salesforce, Salesloft, and others, affecting hundreds of companies and exposing large volumes of sensitive data.
Potential Risks
The vulnerability where Salesforce instances are hacked through Gainsight integrations poses a substantial threat to any business reliant on these platforms, exposing sensitive customer data, disrupting sales and customer success operations, and risking significant reputational damage. This security breach can lead to unauthorized access, data leaks, and potential manipulation of critical business information, ultimately impairing decision-making processes and eroding client trust. The incident not only hampers day-to-day business continuity but also invites costly remedial measures, potential legal liabilities, and long-term damage to brand integrity—all of which can threaten the enterprise’s stability and growth trajectory.
Fix & Mitigation
Ensuring rapid response to breaches such as Salesforce instances compromised through Gainsight integrations is crucial to minimizing data loss, maintaining customer trust, and preventing further malicious activity. Prompt remediation helps contain the threat, mitigate damage, and restore normal operations efficiently.
Containment Measures
- Isolate affected Salesforce instances
- Immediately disconnect compromised Gainsight integrations
Assessment Actions
- Conduct a thorough security audit of impacted systems
- Identify the source and scope of the breach
Remediation Steps
- Patch vulnerabilities in Gainsight and Salesforce platforms
- Reset all affected user credentials and API keys
Communication
- Notify impacted stakeholders and affected clients
- Follow legal and regulatory reporting requirements
Preventive Strategies
- Review and update access controls and permissions
- Implement multi-factor authentication for integrations
- Schedule regular security scans and audits
- Enhance monitoring to detect anomalies early
Explore More Security Insights
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
