The growing data leak from the Salesforce ecosystem has taken a new turn after the ShinyHunters group announced its involvement in the incident. The incident has been ongoing for several months, affecting various CRM-related services, and the scope of the impact continues to grow.
ShinyHunters claims to have gained access to Gainsight several months ago by leveraging features gained through a hack of the Salesloft Drift integration. At the time, unknown individuals infiltrated Salesloft’s GitHub account and mined OAuth tokens used by the third-party service Drift with Salesforce . These tokens allowed them to stealthily access the data of a large number of enterprise customers.
The same campaign reportedly also compromised Gainsight. This service operates as a customer process management platform and is connected to Salesforce, HubSpot, and support systems like Zendesk .
The incident prompted the company to contact Google Mandiant specialists to investigate the nature of the activity and the source of the problem. Gainsight believes the unwanted activity occurred through connections to external applications , not due to a bug in the Salesforce platform itself.
In response, Salesforce revoked all active access keys for Gainsight apps and temporarily removed them from the AppExchange. Zendesk and HubSpot took similar measures, limiting the functionality of their respective connectors pending an internal review. Salesforce representatives declined to comment on the specifics but emphasized that the measures were implemented immediately.
According to the Google Threat Intelligence Group, the attack is linked to the UNC6240 group, also known as ShinyHunters . The company has identified over two hundred affected Salesforce instances . The source of the compromise is believed to be stolen OAuth tokens, which allowed the attackers to access third-party services and their integrations.
ShinyHunters members claim to have verified the level of monitoring in Gainsight’s systems and that the illegal activity was detected approximately one to two weeks after the intrusions began. The group also claims to be seeking accomplices within large companies. Salesforce had previously stated that it would not accede to the extortionists’ demands and would not negotiate.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
