Salesforce-linked data breach claims 200+ victims, has ShinyHunters’ fingerprints all over it

Steven

Salesforce-linked data breach claims 200+ victims, has ShinyHunters’ fingerprints all over it

Summary

Salesforce has disclosed a third‑party security incident involving Gainsight‑published applications that connect to customer Salesforce instances. Google Threat Intelligence Group (GTIG) attributes the activity to UNC6240 (aka ShinyHunters) and reports more than 200 potentially affected Salesforce instances. Salesforce says it revoked all active access and refresh tokens for the affected Gainsight apps and temporarily removed those apps from the AppExchange while it investigates. The company also notes there is no indication the Salesforce platform itself was exploited; the issue appears linked to the external app connections.

Key Points

  • The incident concerns Gainsight‑published apps installed and managed by customers that connect to Salesforce.
  • Google GTIG ties the activity to UNC6240 (ShinyHunters) and flags 200+ potentially affected instances.
  • Salesforce revoked access and refresh tokens and temporarily pulled the affected apps from the AppExchange.
  • Salesforce maintains there is no evidence of a platform vulnerability; the problem seems to stem from the external app connection.
  • Google’s Mandiant is assisting with notifications; organisations are advised to audit third‑party apps, revoke suspicious or unused tokens and rotate credentials immediately if anomalous activity is detected.

Context and relevance

This follows earlier breaches where ShinyHunters exploited stolen OAuth tokens to reach numerous organisations’ Salesforce environments. The recurring pattern underlines the risk third‑party apps and compromised tokens pose to centralised SaaS platforms such as CRM systems, where access can expose sensitive customer data across many tenants.

Why should I read this?

Quick and blunt: if your organisation uses Salesforce with third‑party apps, stop what you’re doing and check your connected apps and tokens. ShinyHunters‑style token theft keeps coming back — a fast audit and token cleanup could save you a major headache.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/20/salesforce_gainsight_breach/