Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
320×100
Redhotcyber Banner Sito 970x120px Uscita 101125
Salesforce Data Breach: ShinyHunters Hack Gainsight Integration

Salesforce Data Breach: ShinyHunters Hack Gainsight Integration

Redazione RHC : 24 November 2025 16:11

The growing data leak from the Salesforce ecosystem has taken a new turn after the ShinyHunters group announced its involvement in the incident. The incident has been ongoing for several months, affecting various CRM-related services, and the scope of the impact continues to grow.

ShinyHunters claims to have gained access to Gainsight several months ago by leveraging features gained through a hack of the Salesloft Drift integration. At the time, unknown individuals infiltrated Salesloft’s GitHub account and mined OAuth tokens used by the third-party service Drift with Salesforce . These tokens allowed them to stealthily access the data of a large number of enterprise customers.

The same campaign reportedly also compromised Gainsight. This service operates as a customer process management platform and is connected to Salesforce, HubSpot, and support systems like Zendesk .

The incident prompted the company to contact Google Mandiant specialists to investigate the nature of the activity and the source of the problem. Gainsight believes the unwanted activity occurred through connections to external applications , not due to a bug in the Salesforce platform itself.

In response, Salesforce revoked all active access keys for Gainsight apps and temporarily removed them from the AppExchange. Zendesk and HubSpot took similar measures, limiting the functionality of their respective connectors pending an internal review. Salesforce representatives declined to comment on the specifics but emphasized that the measures were implemented immediately.

According to the Google Threat Intelligence Group, the attack is linked to the UNC6240 group, also known as ShinyHunters . The company has identified over two hundred affected Salesforce instances . The source of the compromise is believed to be stolen OAuth tokens, which allowed the attackers to access third-party services and their integrations.

ShinyHunters members claim to have verified the level of monitoring in Gainsight’s systems and that the illegal activity was detected approximately one to two weeks after the intrusions began. The group also claims to be seeking accomplices within large companies. Salesforce had previously stated that it would not accede to the extortionists’ demands and would not negotiate.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli