Ethical Hacking News
A new data breach has been reported at Salesforce, which may have exposed customer data to ShinyHunters, a notorious threat group known for its past exploits. The incident highlights the importance of investing in robust cybersecurity measures to protect against such threats.
Salesforce has been breached, exposing customer data to ShinyHunters, a notorious threat group. The breach occurred through Gainsight-published applications connected to Salesforce. Gainsight-published applications had active access and refresh tokens revoked by Salesforce. Companies are reminded to review their SaaS environments for third-party applications connected to Salesforce. Regular security audits, token rotation, and proactive measures are necessary to protect customer data from threats like ShinyHunters.
Salesforce has once again fallen victim to a data breach, and this time, it's connected to a third-party application. In a move that's left many in the cybersecurity community scratching their heads, the popular CRM giant revealed another security incident that may have exposed its customers' data to ShinyHunters, a notorious threat group known for its past exploits.
According to Salesforce spokesperson Allen Tsai, the suspicious activity involved Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers. The investigation indicates that this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection. In response, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while further investigation continues.
The incident has sparked concerns about the security of third-party applications connected to Salesforce instances. "There is no indication that this issue resulted from any vulnerability in the Salesforce platform," Tsai said. However, the activity appears to be related to the app's external connection to Salesforce.
Google Principal Threat Analyst Austin Larsen attributed the activity to ShinyHunters, a group known for its past exploits. This is not the first time ShinyHunters has been linked to a breach of a company's data. Earlier this year, they breached SalesLoft's Drift application and stole numerous companies' OAuth tokens, allowing them unauthorized access to Salesforce instances.
The incident serves as a reminder to all companies to regularly review their SaaS environments, including third-party applications connected to their Salesforce instances. Companies should investigate and revoke tokens for unused or suspicious applications and rotate credentials immediately upon detecting any anomalous activity.
Larsen's observation highlights the need for companies to be vigilant about the security of their data and to invest in robust cybersecurity measures. "This is a signal to all organizations to take a closer look at their SaaS environments," Larsen wrote in his LinkedIn post.
The incident also underscores the importance of investing in robust cybersecurity measures, including regular security audits and token rotation. Companies must take proactive steps to protect their data from such threats.
The latest breach is just the latest in a series of high-profile incidents that have exposed customer data to various threat groups. As the cyber landscape continues to evolve, it's essential for companies to stay vigilant and invest in robust cybersecurity measures to protect their customers' sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Data-Breach-ShinyHunters-Signature-Points-to-Salesforce-Customer-Data-Exposure-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/20/salesforce_gainsight_breach/
https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/
https://breachspot.com/news/cyber-attacks/google-verifies-salesforce-data-breach-caused-by-shinyhunters-through-vishing-scam/
Published: Thu Nov 20 14:42:16 2025 by llama3.2 3B Q4_K_M
