ShinyHunters Breach Gainsight Apps to Access Salesforce Instances

The ShinyHunters cybercrime group, associated with UNC6395 and the broader Scattered Lapsus$ Hunters coalition, has claimed responsibility for hacking Gainsight applications and accessing Salesforce instances of multiple enterprises. According to reporting from Information Security Media Group, compromised OAuth tokens linked to Gainsight-published Salesforce apps enabled unauthorized data access, leading Salesforce to revoke all Gainsight-associated tokens and remove the apps from AppExchange. This attack continues the pattern of token theft and cross-tenant exploitation seen previously in the Salesloft compromise, and maps to MITRE techniques including T1528 (Steal Application Access Tokens), T1195 (Supply Chain Compromise), and T1649 (Steal or Forge Authentication Certificates). ShinyHunters claims this is the third or fourth large-scale campaign targeting Salesforce customers, asserting that enterprises integrating third-party connectors represent an exploitable ecosystem with broad permissions. The group threatened to leak stolen CRM datasets unless Salesforce complies with extortion demands—a tactic repeatedly observed in their earlier attacks. Affected organizations include high-value firms such as Okta, Sonos, and ADP, which rely on Gainsight for customer success operations. Salesforce stated there is no evidence of platform-level vulnerabilities, reinforcing that the compromise originated within the third-party app supply chain rather than Salesforce infrastructure. Business consequences include potential exposure of customer profiles, revenue intelligence, authentication tokens, and downstream system access. Given Salesforce’s centrality in enterprise workflows, unauthorized access can interrupt sales operations, violate privacy regulations, and facilitate lateral movement into integrated HR, marketing automation, or identity systems. Extortion adds an additional disruptive layer, especially for organizations whose CRM data includes regulated or contractual-sensitive information. Mitigation steps include rotating OAuth tokens, reviewing connected app permissions, enabling anomaly detection policies for Salesforce session activity, and applying strict third-party governance controls. Organizations should also conduct forensic analysis on historical app activity to detect past data access, and consider isolating or disabling Gainsight connectors until the investigation concludes. This incident underscores the need for continuous monitoring of SaaS-to-SaaS integrations and the adoption of zero-trust policies in multi-cloud identity flows.