Ethical Hacking News
ShinyHunters has claimed responsibility for breaching Gainsight, a customer success platform that integrates with Salesforce and several other CRMs. The thieves gained access to Gainsight during the Salesloft Drift hack earlier this year, exploiting OAuth security tokens obtained from Drift's integration with Salesforce. This breach allows ShinyHunters to snarf data from hundreds more Salesforce customers, leaving a trail of digital destruction in their wake.
ShinyHunters group claimed responsibility for breaching Gainsight, a customer success platform integrating with Salesforce.Gainsight breach allowed ShinyHunters to steal data from hundreds of Salesforce customers.ShinyHunters exploited OAuth security tokens obtained from Salesloft Drift's integration with Salesforce to gain access.Google's Mandiant incident responders are investigating the breach, while Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications.The breach has left numerous companies reeling, with Zendesk and HubSpot Marketplace temporarily revoking connector access due to concerns about OAuth access.ShinyHunters' methods are considered brazen and complex, with the group claiming to have compromised other known OAuth apps.
In a world where cybercrime is an ever-evolving beast, it's refreshing to see groups like ShinyHunters taking the reins and wreaking havoc on unsuspecting companies. In this latest development, the notorious crew has claimed responsibility for breaching Gainsight, a customer success platform that integrates with Salesforce and several other CRMs. This egregious breach allows the thieves to snarf data from hundreds more Salesforce customers, leaving a trail of digital destruction in their wake.
According to ShinyHunters' own words, they gained access to Gainsight during the Salesloft Drift hack earlier this year, exploiting the OAuth security tokens obtained from Drift's integration with Salesforce. These stolen OAuth tokens served as an entry point into numerous systems, making them a lucrative target for the cyber-gang. As ShinyHunters' leader would put it, "The data from Salesloft Drift breached has enabled entry points into so many systems. Very lucrative systems."
This breach is not just a minor inconvenience; it's a full-blown catastrophe that has left numerous companies reeling. Gainsight did not respond to The Register's inquiries, leaving the investigation in the hands of Google's Mandiant incident responders. Salesforce, however, took swift action, revoking all active access and refresh tokens associated with Gainsight-published applications connected to their platform.
The aftermath of this breach is a complex web of digital chaos. Zendesk revoked its connector access to Gainsight as a precautionary measure, while the Gainsight app was temporarily pulled from the HubSpot Marketplace due to concerns about OAuth access for customer connections. Salesforce declined to comment further on Friday morning, leaving many questions unanswered.
This latest development is not an isolated incident; it's part of a larger pattern of exploitation that ShinyHunters has been perpetrating in recent months. According to Google Threat Intelligence Group's principal analyst Austin Larsen, the breach "is likely related to UNC6240 (aka ShinyHunters)," and that Google is aware of more than 200 potentially affected Salesforce instances.
ShinyHunters' methods are as brazen as they are complex. They gained access to Salesloft GitHub account and stole OAuth tokens from Salesloft Drift's integration with Salesforce, which allowed them to silently steal a ton of Salesforce customer data. This was just the beginning; ShinyHunters also claimed to have compromised other known OAuth apps and used this newfound power to probe Gainsight, testing how much monitoring there is now.
Salesforce detected the unauthorized activity "pretty quickly," about a week or two after the initial intrusion, and contacted the authorities. However, the aftermath of this breach leaves many questions unanswered. How did ShinyHunters gain access to Salesloft GitHub account in the first place? What measures are being taken by Gainsight to prevent similar breaches in the future?
The world of cybercrime is a dark and twisted one, where the lines between right and wrong are constantly blurred. In this case, it's clear that ShinyHunters has pushed the boundaries of what's acceptable, exploiting vulnerabilities and snatching data with impunity. As The Register reported earlier, Salesforce would not engage in negotiations or pay any ransom demands to the hackers.
In a world where technology is increasingly intertwined, it's crucial for companies like Gainsight and Salesforce to remain vigilant and proactive in protecting their users' sensitive information. This latest breach serves as a stark reminder of the importance of robust security measures and the need for companies to take immediate action when faced with such threats.
The aftermath of this breach will likely have far-reaching consequences, affecting not just the companies directly involved but also their customers and stakeholders. As the dust settles, one thing is clear: ShinyHunters' actions have left a trail of destruction that will take time to repair.
Related Information:
https://www.ethicalhackingnews.com/articles/ShinyHunters-Sordid-Tale-A-Web-of-Compromise-and-Exploitation-ehn.shtml
Published: Fri Nov 21 13:41:41 2025 by llama3.2 3B Q4_K_M
