Hundreds of Salesforce Customers Impacted: Gainsight Supply Chain Attack by ShinyHunters
Executive Summary
In June 2024, Salesforce customers experienced a significant supply chain breach after a third-party vendor, Gainsight, was compromised in an ongoing campaign traced to the ShinyHunters/UNC6240 threat group. Attackers exploited OAuth application connections between Gainsight and Salesforce, potentially impacting over 200 customer instances and exposing sensitive business data. Salesforce responded promptly by revoking access tokens to block further unauthorized entry but confirmed that no vulnerabilities existed within its core platform. The incident echoes a previous attack wave against Salesloft Drift integrations targeting Salesforce users within the same threat cluster, highlighting persistent exploitation of third-party SaaS application connections.
The breach underscores mounting risks associated with SaaS supply chain integrations and highlights a shift in attacker tactics toward abusing trusted app connectors. As enterprises continue to expand reliance on cloud-based business platforms and third-party vendors, such attacks increase the urgency for rigorous vendor risk management, least-privilege access policies, and enhanced anomaly detection.
Why This Matters Now
This incident demonstrates the escalating threat from supply chain attacks on SaaS environments, where attackers exploit external app connections to infiltrate enterprise data. As multi-app integrations become standard, organizations must act urgently to assess and harden their integration points and supply chain defenses to prevent similar breaches.
Attack Path Analysis
The attack began when threat actors compromised Gainsight, a third-party vendor integrated with Salesforce, enabling unauthorized access via app-to-app connections. Through stolen OAuth tokens, attackers potentially elevated privileges, accessing Salesforce environments linked to the third-party connector. The attackers likely traversed connected workloads and services within customer environments, taking advantage of flat network surfaces. Establishing command and control via authorized but malicious API calls or communications, they maintained persistence and coordinated malicious activities. Data from connected Salesforce instances was exfiltrated via outbound channels before detection occurred. The impact resulted in unauthorized exposure and possible abuse of sensitive business data across hundreds of affected Salesforce customers.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to Gainsight’s systems or its integration infrastructure, exploiting the trusted OAuth connection to Salesforce customer environments.
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts: Cloud Accounts
Use Alternate Authentication Material: Web Session Cookie
Application Layer Protocol: Web Protocols
Modify Authentication Process: Web Portal
Transfer Data to Cloud Account
Unsecured Credentials: Credentials In Files
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Maintaining and Monitoring Service Provider Controls
Control ID: 12.8.2
NYDFS 23 NYCRR 500 – Third Party Service Provider Security Policy
Control ID: 500.11
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 28
CISA Zero Trust Maturity Model 2.0 – Continuous Validation of Third-Party Access
Control ID: Identity Pillar: Device and Session Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting Salesforce integrations expose customer success platforms to token compromise, requiring enhanced egress security and zero trust segmentation controls.
Financial Services
Salesforce CRM breaches via third-party connectors threaten sensitive financial data, demanding stricter east-west traffic monitoring and multicloud visibility per compliance frameworks.
Information Technology/IT
IT service providers using Gainsight face cascading supply chain risks through compromised OAuth tokens, necessitating threat detection and anomaly response capabilities.
Marketing/Advertising/Sales
Sales platforms integrated with Salesforce suffer data exposure from ShinyHunters group attacks, requiring enhanced policy enforcement and encrypted traffic protection measures.
Sources
- Hundreds of Salesforce customers hit by yet another third-party vendor breachhttps://cyberscoop.com/salesforce-gainsight-customers-breach/Verified
- FINRA Cybersecurity Alert – Salesforce Gainsight Security Incidenthttps://www.finra.org/rules-guidance/guidance/cybersecurity-advisory-salesforce-gainsightVerified
- Google says hackers stole data from 200 companies following Gainsight breachhttps://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/Verified
- Salesforce Data Exfiltration, Campaign C0059 | MITRE ATT&CK®https://attack.mitre.org/campaigns/C0059Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload isolation, and robust egress and anomaly controls could have significantly hindered unauthorized east-west movement and outbound data theft, ensuring compromised connections could be contained and visibility maintained across SaaS and cloud environments.
Control: Zero Trust Segmentation
Mitigation: Isolation of third-party application connectivity minimizes initial blast radius.
Control: Multicloud Visibility & Control
Mitigation: Abnormal privilege escalations are rapidly detected and correlated for incident response.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movement is blocked and logged per microsegment policies.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious C2 patterns and anomalous API calls generate real-time alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound or exfiltration traffic is blocked or audited.
Distributed enforcement and continuous monitoring limit breach impact and accelerate remediation.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Customer Support
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to sensitive customer data, including contact information and internal notes, potentially leading to reputational damage and regulatory scrutiny.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to limit the exposure from compromised third-party/cloud app integrations.
- • Implement continuous multicloud visibility and anomaly response across all SaaS, app connector, and data flows.
- • Strictly control, monitor, and enforce egress policies to detect and prevent unauthorized outbound data transfers.
- • Harden third-party and SaaS OAuth access using identity-based policies and least-privilege principles.
- • Regularly audit and segment internal app-to-app and workload traffic using microsegmentation to contain potential lateral movement.
