Full Report
They keep coming back for more Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.…
Analysis Summary
# Incident Report: Salesforce Third-Party Application Data Compromise (Likely ShinyHunters)
## Executive Summary
Salesforce disclosed a security incident involving unauthorized access to customer data facilitated through third-party applications, specifically those published by Gainsight and connected to customer Salesforce instances. The threat actor is strongly suspected to be ShinyHunters (UNC6240). Over 200 Salesforce instances may have been affected by the compromise stemming from improperly secured external OAuth connections. Salesforce responded by immediately revoking access tokens and temporarily delisting the implicated applications.
## Incident Details
- Discovery Date: Wednesday, [Date not explicitly stated, implied late November 2025]
- Incident Date: Occurred on or prior to disclosure [Implied ongoing compromise or discovery leading up to Nov 20, 2025]
- Affected Organization: Salesforce and its customers (specifically those utilizing Gainsight-published applications)
- Sector: Software/CRM
- Geography: Global (Salesforce customer base)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined prior to detection.
- Vector: Compromise via third-party OAuth tokens used by Gainsight-published applications connected to Salesforce instances.
- Details: Threat actors exploited the established external connection between authorized third-party apps and customer Salesforce data.
### Lateral Movement
- Not explicitly detailed, but the nature of the vector suggests direct access to data authorized by the compromised application credentials rather than traditional network lateral movement.
### Data Exfiltration/Impact
- Unauthorized access to "certain customers' Salesforce data" occurred through the compromised app connection. Over 200 Salesforce instances are potentially affected.
### Detection & Response
- Date/Time: Wednesday (Disclosure date implies detection shortly before).
- Details: Salesforce detected the suspicious activity. Response included revoking all active access and refresh tokens associated with the implicated Gainsight-published applications and temporarily removing those applications from AppExchange.
## Attack Methodology
- Initial Access: Compromise/abuse of OAuth tokens associated with third-party application connections (Gainsight-published apps).
- Persistence: N/A (Access granted via existing OAuth tokens).
- Privilege Escalation: N/A (Access level determined by the permissions granted to the third-party application).
- Defense Evasion: Not explicitly detailed.
- Credential Access: Likely involved compromising the infrastructure or credentials supporting the third-party application to obtain access tokens, or exploiting the tokens themselves.
- Discovery: Not explicitly detailed, but targeted data collection post-access.
- Lateral Movement: Not applicable in the traditional sense; access was granted via the authorized perimeter.
- Collection: Harvesting data from connected Salesforce customer instances.
- Exfiltration: Data theft occurred via the established, unauthorized connection.
- Impact: Unauthorized data access and potential theft.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Access potentially enabled unauthorized access to data belonging to over 200 Salesforce customer instances. Specific data types and volume were not disclosed.
- Operational: Temporary removal of Gainsight applications from AppExchange disrupted functionality reliant on those apps.
- Reputational: Further negative attention regarding third-party security vulnerabilities within the Salesforce ecosystem ("They keep coming back for more").
## Indicators of Compromise
- The IoCs focus on the application linkage rather than traditional network artifacts:
- Suspicious use of active access and refresh tokens related to Gainsight-published applications.
- Anomalous API calls or data access patterns originating from the authorized third-party application channels.
- *Note: No specific URLs or IPs were provided in the context to defang.*
## Response Actions
- Containment measures: Salesforce revoked all active access and refresh tokens associated with the affected Gainsight-published applications.
- Eradication steps: Temporarily removed the implicated applications from the AppExchange pending investigation completion.
- Recovery actions: Affected customers were notified by Salesforce.
## Lessons Learned
- Third-party application security, particularly concerning OAuth tokens and external connections, remains a critical attack pivot point against major SaaS platforms like Salesforce.
- Organizations must rigorously audit all third-party SaaS integrations, especially those utilizing OAuth, to ensure they are necessary and still required.
## Recommendations
- All organizations using Salesforce (and other SaaS environments) should immediately conduct a full audit of all connected third-party applications.
- Investigate and revoke access or refresh tokens for any unused or suspicious third-party applications.
- Upon detecting any anomalous data access activity, immediately rotate relevant credentials and authorization tokens.
- Ensure robust monitoring is in place specifically for API usage and data retrieval patterns originating from integrated third-party services.