ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago
(2025/11/21)
- Reference: 1763753145
- News link: https://www.theregister.co.uk/2025/11/21/shinyhunters_salesforce_gainsight_breach/
- Source link:
EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers.
In messages sent to The Register , a member of the extortionist crew said they gained access to Gainsight during the Salesloft Drift hack earlier this year: "We've had access to Gainsight for nearly 3 months."
"The data from Salesloft Drift breached has enabled entry points into so many systems. Very lucrative systems," a member of the cyber-gang claiming to be Shiny told The Register . "I do not like Salesforce at all, would be nice if they stopped acting all high and mighty and just pay to fix this mess."
[1]
Gainsight did not respond to The Register 's inquiries.
[2]
[3]
The saga [4]started back in March, when the intruders gained access to a Salesloft GitHub account and [5]stole OAuth tokens from Salesloft Drift's integration with Salesforce.
Drift, a third-party application used to automate sales processes, integrates with Salesforce via connected-app APIs to help manage leads and coordinate pitches, and compromising these OAuth security tokens allowed the data thieves to silently steal a ton of Salesforce customer data.
[6]
According to ShinyHunters, they also gained access to Gainsight during the Drift breaches.
Gainsight is a customer success platform that also integrates with Salesforce and several other CRMs, including HubSpot, as well as support tools like Zendesk.
In a Friday [7]alert , Gainsight said it brought on Google's Mandiant incident responders to assist with its ongoing investigation.
[8]
"We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce," the company said, noting that the "activity under investigation originated from the applications' external connection — not from any issue or vulnerability within the Salesforce platform."
Salesforce on Wednesday [9]said it "revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues."
Zendesk also revoked its connector access to Gainsight, "as a precaution," and on Thursday, the Gainsight app was "temporarily pulled from the HubSpot Marketplace as a precautionary measure," Gainsight said in an earlier update. "This may also impact Oauth access for customer connections while the review is taking place. "
Salesforce on Friday morning declined to comment beyond its Thursday advisory.
[10]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[11]Take this rob and shove it! Salesforce issues stern retort to ransomware extort
[12]Stolen OAuth tokens expose Palo Alto customer data
[13]How big will this Drift get? Cloudflare cops to Salesloft Drift breach
Google Threat Intelligence Group's principal analyst Austin Larsen [14]previously told The Register that the breach "is likely related to UNC6240 (aka ShinyHunters)," and that Google is "aware of more than 200 potentially affected Salesforce instances."
And, according to ShinyHunters, it dates back to the crooks [15]gaining access to the Salesloft GitHub account.
While we still don't know how the intruders gained access to the GitHub account, once they got it, they snooped around Drift's AWS environment and [16]obtained OAuth tokens for Drift customers' technology integrations. They then used these stolen OAuth tokens to break into [17]several companies' Salesforce instances and steal customer data.
"Gainsight was just a test to probe how much monitoring there is now," the individual claiming to be Shiny told The Register .
Salesforce detected the unauthorized activity "pretty quickly," about a week or two after the initial intrusion, they added. "All we can say regarding correspondence at the moment is that we've contacted Salesforce, cannot elaborate any further at this time."
ShinyHunters is part of the [18]crime collective that [19]rage-quit the internet last month, but now claims to be back in action and recruiting nefarious insiders at major enterprises, according to a Friday Telegram post.
Salesforce previously told The Register it [20]would not pay a ransom demand to ShinyHunters: "Salesforce will not engage, negotiate with, or pay any extortion demand," spokesperson Allen Tsai said. ®
Get our [21]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[5] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://status.gainsight.com/incidents/gvng0kly8vwf
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://status.salesforce.com/generalmessages/20000233
[10] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[12] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[13] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[14] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[15] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[16] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[17] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[18] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[19] https://www.theregister.com/2025/10/13/scattered_lapsus_hunters_hiatus/
[20] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[21] https://whitepapers.theregister.com/
In messages sent to The Register , a member of the extortionist crew said they gained access to Gainsight during the Salesloft Drift hack earlier this year: "We've had access to Gainsight for nearly 3 months."
"The data from Salesloft Drift breached has enabled entry points into so many systems. Very lucrative systems," a member of the cyber-gang claiming to be Shiny told The Register . "I do not like Salesforce at all, would be nice if they stopped acting all high and mighty and just pay to fix this mess."
[1]
Gainsight did not respond to The Register 's inquiries.
[2]
[3]
The saga [4]started back in March, when the intruders gained access to a Salesloft GitHub account and [5]stole OAuth tokens from Salesloft Drift's integration with Salesforce.
Drift, a third-party application used to automate sales processes, integrates with Salesforce via connected-app APIs to help manage leads and coordinate pitches, and compromising these OAuth security tokens allowed the data thieves to silently steal a ton of Salesforce customer data.
[6]
According to ShinyHunters, they also gained access to Gainsight during the Drift breaches.
Gainsight is a customer success platform that also integrates with Salesforce and several other CRMs, including HubSpot, as well as support tools like Zendesk.
In a Friday [7]alert , Gainsight said it brought on Google's Mandiant incident responders to assist with its ongoing investigation.
[8]
"We continue to work on the ongoing investigation into the connection issue affecting Gainsight-published applications on Salesforce," the company said, noting that the "activity under investigation originated from the applications' external connection — not from any issue or vulnerability within the Salesforce platform."
Salesforce on Wednesday [9]said it "revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues."
Zendesk also revoked its connector access to Gainsight, "as a precaution," and on Thursday, the Gainsight app was "temporarily pulled from the HubSpot Marketplace as a precautionary measure," Gainsight said in an earlier update. "This may also impact Oauth access for customer connections while the review is taking place. "
Salesforce on Friday morning declined to comment beyond its Thursday advisory.
[10]Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it
[11]Take this rob and shove it! Salesforce issues stern retort to ransomware extort
[12]Stolen OAuth tokens expose Palo Alto customer data
[13]How big will this Drift get? Cloudflare cops to Salesloft Drift breach
Google Threat Intelligence Group's principal analyst Austin Larsen [14]previously told The Register that the breach "is likely related to UNC6240 (aka ShinyHunters)," and that Google is "aware of more than 200 potentially affected Salesforce instances."
And, according to ShinyHunters, it dates back to the crooks [15]gaining access to the Salesloft GitHub account.
While we still don't know how the intruders gained access to the GitHub account, once they got it, they snooped around Drift's AWS environment and [16]obtained OAuth tokens for Drift customers' technology integrations. They then used these stolen OAuth tokens to break into [17]several companies' Salesforce instances and steal customer data.
"Gainsight was just a test to probe how much monitoring there is now," the individual claiming to be Shiny told The Register .
Salesforce detected the unauthorized activity "pretty quickly," about a week or two after the initial intrusion, they added. "All we can say regarding correspondence at the moment is that we've contacted Salesforce, cannot elaborate any further at this time."
ShinyHunters is part of the [18]crime collective that [19]rage-quit the internet last month, but now claims to be back in action and recruiting nefarious insiders at major enterprises, according to a Friday Telegram post.
Salesforce previously told The Register it [20]would not pay a ransom demand to ShinyHunters: "Salesforce will not engage, negotiate with, or pay any extortion demand," spokesperson Allen Tsai said. ®
Get our [21]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[5] https://www.theregister.com/2025/08/27/salesforce_salesloft_breach/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://status.gainsight.com/incidents/gvng0kly8vwf
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSDvB_XfVVPzBb30tLzgRQAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://status.salesforce.com/generalmessages/20000233
[10] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[11] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[12] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[13] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[14] https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
[15] https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/
[16] https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
[17] https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
[18] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[19] https://www.theregister.com/2025/10/13/scattered_lapsus_hunters_hiatus/
[20] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[21] https://whitepapers.theregister.com/
This is too funny
ecofeco
Just too funny.
> they snooped around Drift's AWS environment and obtained OAuth tokens ... Salesforce detected the unauthorized activity "pretty quickly," about a week or two after the initial intrusion...
Waitasec. I thot OAuth was (allegedly) more secure than passwords. This sounds exactly as secure as posting my password file on my public server. And "a week" is a novel understanding of "pretty quickly". When I used to hack .MIL password files I had to get in and out in like 14 minutes.