Full Report
Shiny talks to The Reg EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers.…
Analysis Summary
# Incident Report: Gainsight/Salesforce Customer Data Breach via Third-Party Integration Compromise
## Executive Summary
The threat actor group ShinyHunters claimed responsibility for a breach involving Gainsight, which acted as a conduit to exfiltrate data from hundreds of Salesforce customers. The initial vector appears to be the compromise of Salesloft Drift's GitHub account, leading to the theft of OAuth security tokens due to a misconfigured or compromised third-party integration. This allowed unauthorized access to Gainsight environments, leveraging pre-existing access gained earlier from the Drift breach.
## Incident Details
- Discovery Date: Approximately 1-2 weeks after initial intrusion (per ShinyHunters claim).
- Incident Date: Initial access to Salesloft Drift occurred earlier in the year (March mentioned); Gainsight access claimed for "nearly 3 months" prior to November 21, 2025.
- Affected Organization: Gainsight (primary entry point); potentially over 200 Salesforce instances impacted.
- Sector: Software/CRM Integration Services (SaaS).
- Geography: Not specified, but involves global Salesforce customers.
## Timeline of Events
### Initial Access
- Date/Time: Earlier in the year, linked to the Salesloft Drift security incident (around March timeframe mentioned).
- Vector: Compromise of the Salesloft GitHub account.
- Details: Attacker gained entry to GitHub, then pivoted to snoop around Drift's AWS environment and identified technology integrations.
### Lateral Movement
- Date/Time: Ongoing for approximately 3 months leading up to disclosure.
- Vector: Leveraging stolen OAuth security tokens associated with Salesloft Drift and Gainsight integrations with Salesforce.
- Details: Used compromised tokens to gain unauthorized access to customer data via Gainsight and other integrated systems.
### Data Exfiltration/Impact
- Date/Time: Ongoing for approximately 3 months.
- Details: Snarfed data belonging to hundreds of additional Salesforce customers through the Gainsight platform. Gainsight access was reportedly seen by the attacker as a "test."
### Detection & Response
- Date/Time: Salesforce detected unauthorized activity "pretty quickly," approximately a week or two post-initial intrusion (based on attacker stated timeline).
- Response Actions: Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications and temporarily removed them from the AppExchange. Gainsight engaged Mandiant. Zendesk and HubSpot also temporarily pulled/revoked related connector access as precautions.
## Attack Methodology
- Initial Access: Compromise of a third-party vendor's (Salesloft Drift) GitHub account.
- Persistence: Likely maintained via the stolen OAuth security tokens used for connected application APIs linking Drift/Gainsight to Salesforce.
- Privilege Escalation: Not explicitly detailed, but implied access escalation through legitimate integration channels.
- Defense Evasion: Utilizing valid, stolen OAuth tokens allowed for silent theft of data via existing integration pathways.
- Credential Access: Theft of OAuth security tokens related to connected-app APIs.
- Discovery: Snooping around Drift's AWS environment to identify valuable customer technology integrations (like Gainsight).
- Lateral Movement: Pivoting from Drift/Salesloft access to Gainsight access, then leveraging those credentials/tokens to reach Salesforce customer data.
- Collection: Snarfing customer data via the compromised integration pathway.
- Exfiltration: Data theft occurred silently over the three-month period.
- Impact: Unauthorized data access (Customer Data).
## Impact Assessment
- Financial: Not explicitly stated, but likely significant due to the remediation required across Salesforce, Gainsight, and potentially 200+ customer instances.
- Data Breach: Customer data from hundreds of Salesforce customers accessed via Gainsight.
- Operational: Disruption to Gainsight services; Salesforce temporarily delisted 3rd-party applications; Zendesk and HubSpot took precautionary operational steps.
- Reputational: Significant reputational damage to Gainsight and potential exposure for connected Salesforce customers, linked to the notorious ShinyHunters group.
## Indicators of Compromise
- Network Indicators: N/A (No defanged URLs/IPs provided in the text).
- File Indicators: N/A.
- Behavioral Indicators: Unauthorized API usage via revoked OAuth/Refresh tokens associated with Gainsight-published applications; Activity originating from compromised integration layer.
## Response Actions
- Containment: Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications.
- Eradication: Gainsight initiated an ongoing investigation with Mandiant assistance.
- Recovery: Salesforce temporarily removed associated applications from the AppExchange pending review. Zendesk and HubSpot revoked connector access as a precaution.
## Lessons Learned
- Third-Party Risk is Critical: The compromise did not originate internally at Gainsight or Salesforce but via a connected third-party (Salesloft Drift), highlighting the severe risk posed by supply chain/integration dependencies.
- Token Security: Theft of OAuth tokens via development artifacts (GitHub) provided long-term, low-detection access.
- Monitoring Integration Traffic: Salesforce detected the activity relatively quickly (1-2 weeks), but the attacker maintained access for three months, suggesting monitoring gaps in integration traffic validation over extended periods.
## Recommendations
- Hardening Development Environments: Implement strict access controls and monitoring on source code repositories (like GitHub) used by integration partners to prevent token/credential exposure.
- API Token Lifecycles: Immediately implement shorter lifecycles or more rigorous re-authorization requirements for API access tokens used by third-party system integrations.
- Comprehensive Vendor Vetting: Conduct deeper security reviews (SOC 2, penetration tests) for critical integration partners before establishing deep API connectivity.
- Increased Integration Monitoring: Enhance monitoring to detect anomalous data access patterns originating from legitimate integrated application tokens.