Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Salesforce Instances Hacked via Gainsight Integrations

The infamous ShinyHunters hackers have targeted customer-managed Gainsight-published applications to steal data from Salesforce instances.

Salesforce data theft extortion

The ShinyHunters hacking group has launched a new data theft campaign against Salesforce customers, exploiting Gainsight integrations to access their instances.

Immediately after discovering the incident, Salesforce revoked all active access and tokens associated with the Gainsight applications connected to its platform. It temporarily removed the applications from the platform while investigating the attack.

“Salesforce has identified unusual activity involving Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said on Thursday morning.

Salesforce said it notified the affected customers directly, but did not share details on how many organizations might have been affected. In the meantime, access to Gainsight via Salesforce remains unavailable.

On Thursday evening, Gainsight revealed that only three organizations were known to have been compromised in the attack, and that it was investigating the incident together with Salesforce and a third-party forensics firm.

“Our third-party will issue a formal report and any remediation guidance. Gainsight will likely move to a packaged version of the Connected App to ensure a clean and secure reset. While no one can guarantee absolute protection, we will only turn services back on once fully vetted,” the company said.

Advertisement. Scroll to continue reading.

Once the connector is re-enabled, it will require re-authorization. Gainsight says each compromised token “was scoped to a single customer”, but all organizations should rotate keys, credentials, and certificates for their Gainsight integrations.

In a LinkedIn post, Google Threat Intelligence Group’s principal threat analyst Austin Larsen said that Mandian is investigating the attack and that the notorious ShinyHunters hackers are responsible for it.

The attackers are “compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances,” Larsen said.

“Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations. We saw this recently with the campaign targeting Salesloft Drift, and we are seeing it again now,” he added.

According to DataBreaches, ShinyHunters has confirmed the attack. The hacking group, responsible for several data exfiltration campaigns targeting Salesforce customers, said it has made roughly 1,000 victims to date.

Gainsight itself was one of the organizations affected by a recent campaign that hit Salesforce customers through the integrations with the third-party AI chatbot Salesloft Drift.

Hundreds of organizations were affected, including numerous security firms, after hackers used compromised OAuth tokens to exfiltrate large amounts of data from their Salesforce instances. The hackers stole the tokens from Drift’s AWS instance after compromising Salesloft’s GitHub account.

Related: Logitech Confirms Data Breach Following Designation as Oracle Hack Victim

Related: Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack

Related: Princeton University Data Breach Impacts Alumni, Students, Employees

Related: Data Stolen in Eurofiber France Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.