Summary

Salesforce has detected unauthorized activity involving OAuth integrations published by Gainsight that may have allowed access to some customers' Salesforce data. In response, Salesforce revoked active access and refresh tokens associated with Gainsight-published applications and temporarily removed those applications from the AppExchange pending further investigation.

According to threat-actor statements, ShinyHunters claims responsibility for this incident, though the claim has not yet been independently verified by Salesforce or Gainsight.

Affected Systems and/or Applications

• Salesforce tenants with any Gainsight-published Connected Apps / OAuth integrations (including apps provisioned via the Gainsight integration ecosystem).
• Organizations using Salesforce integrations that rely on OAuth access tokens / refresh tokens issued to third-party SaaS apps (risk extends to any delegated-access integration).
• Gainsight Marketplace applications, which were temporarily removed and may have had OAuth access impacted.

Technical Details

• ‍What happened (current understanding): Threat actors exploited the external connection between Gainsight-published applications and Salesforce to obtain OAuth tokens (access/refresh), then used those tokens to access customer data via the apps’ delegated privileges. Salesforce reported “unusual activity” and revoked tokens for Gainsight-published apps.
• Threat actor: Reporting links the activity to actors associated with ShinyHunters (UNC6240) as part of a broader campaign targeting third-party SaaS integrations. Attribution is preliminary but widely referenced.
• Observed impact / data types exposed: Prior similar SaaS-integration attacks frequently resulted in exfiltration of business contact data, emails, phone numbers, licensing metadata, and support case content (typically excluding large binary attachments). Salesforce is notifying impacted customers but has not disclosed the total impact.
• Tactics / Techniques: Activity centers on OAuth token compromise and misuse, including theft or abuse of delegated credentials. In many related intrusions, attackers combine OAuth exploitation with vishing and credential-stuffing techniques. Quorum Cyber notes a surge in campaigns targeting Salesforce OAuth integrations.

Mitigation

Below are immediate, short-term, and medium-term actions. Prioritize rapid containment and detection.

Identify and revoke risk-prone tokens

• Revoke all active access and refresh tokens for Gainsight-published Connected Apps (Salesforce has performed centralized revocation, but validate locally).
• Re-authorize only after vendor confirmation.

Inventory connected apps

• Export a full list of Connected Apps / OAuth clients.
• Map delegated permissions and identify high-risk scopes.

Rotate credentials & secrets

• Rotate credentials, client secrets, and API keys associated with impacted apps or service accounts.
• Rotate service account credentials with broad API scopes.

Block suspicious endpoints / IPs‍

• Temporarily block or strictly monitor connections to endpoints listed in vendor advisories or IOCs.

Notify stakeholders‍

• Alert internal legal, compliance, and customer-facing teams.
• Execute breach notification processes if customer data exposure is confirmed.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.

References

• https://thehackernews.com/2025/11/salesforce-#ags-unauthorized-data.html
• https://www.theregister.com/2025/11/20/salesforce_gainsight_breach
• https://www.quorumcyber.com/threat-intelligence/surge-in-salesforce-data-theft-campaignsexploiting-oauth-integrations-and-vishing-attacks
• https://status.gainsight.com/
• https://communities.gainsight.com/community-news-2/salesforce-gainsight-connected-appincident-faq-november-20th-afternoon-update-29801