The escalating saga surrounding the Salesforce ecosystem data breach has taken a new turn after the group ShinyHunters publicly claimed responsibility for its role in the incident. The events, unfolding over several months, have affected multiple services tied to CRM platforms, and the scale of the fallout continues to grow.
According to ShinyHunters, they gained access to Gainsight several months ago by exploiting opportunities that emerged after the breach of the Salesloft–Drift integration. At that time, unknown actors infiltrated Salesloft’s GitHub account and extracted OAuth tokens used by the third-party service Drift in its interactions with Salesforce. These tokens allowed the attackers to discreetly access data belonging to a large number of corporate clients.
Reports indicate that during the same campaign, the intruders also infiltrated the Gainsight environment. Gainsight functions as a customer success management platform integrated with Salesforce, HubSpot, and support systems such as Zendesk. The incident prompted the company to enlist Google Mandiant to investigate the nature of the activity and determine its source. Gainsight maintains that the malicious actions were carried out via external application connections rather than through any flaw in the Salesforce platform itself.
Salesforce responded by revoking all active access keys for Gainsight applications and temporarily removing them from the AppExchange marketplace. Zendesk and HubSpot took similar steps, restricting the relevant connectors until their internal reviews are complete. Salesforce representatives have refrained from offering detailed comments but emphasize that decisive action was taken immediately.
According to Google’s Threat Intelligence Group, the attack is linked to the cluster UNC6240, better known as ShinyHunters. The company has identified more than two hundred affected Salesforce instances. The source of the compromise appears to be the stolen OAuth tokens, which granted attackers access to external services and their integrations.
ShinyHunters claim they tested the extent of monitoring within Gainsight’s systems and that their presence was detected only one to two weeks after the intrusions began. The group also hints at seeking accomplices within major enterprises. Salesforce has previously stated that it will not comply with extortion demands and has no intention of entering negotiations.