Salesforce Data Breached Again: ShinyHunters Exploit Third-Party Gainsight in 2024 Attack
Executive Summary
In June 2024, several Salesforce customers experienced a significant data breach perpetrated by the ShinyHunters extortion group. Attackers exploited vulnerabilities in a third-party vendor, Gainsight, which had integrations with Salesforce platforms. By compromising Gainsight, ShinyHunters acquired credentials or access tokens, enabling them to exfiltrate sensitive Salesforce customer data from multiple organizations. The breach demonstrates the persistent risk of attacks originating from trusted third-party software supply chains, resulting in the exposure of business and customer information and raising concerns about the security posture of major SaaS ecosystems.
This breach highlights a continued trend in which attackers bypass direct controls by targeting vendors in a SaaS environment, leveraging weak third-party access and inadequate segmentation. As businesses increase SaaS adoption and interconnectivity, these attacks demonstrate the urgent need for enhanced third-party risk management and more granular network and identity controls.
Why This Matters Now
The incident underscores the increasing threat posed by indirect attacks against cloud applications via third-party integrations. With the proliferation of SaaS platforms and extensive vendor ecosystems, organizations must prioritize security across their extended supply chain, emphasizing immediate action to mitigate risks from external partners and shared authentication flows.
Attack Path Analysis
Attackers affiliated with ShinyHunters compromised Salesforce data through a third-party application, likely exploiting weak integration or supply chain trust (potentially via Gainsight). Gaining initial access, they may have escalated privileges within the SaaS ecosystem or abused authorized app scopes. Lateral movement was possible between connected accounts or services within the cloud environment, enabling broader access to sensitive data. Command and control was maintained through legitimate SaaS APIs, possibly using covert channels or allowed outbound connections. Data was then exfiltrated stealthily to attacker-controlled destinations. The impact resulted in significant data breaches and exposure of sensitive customer records.
Kill Chain Progression
Initial Compromise
Description
Threat actors exploited the integration between Salesforce and a third-party SaaS application (Gainsight) to gain access to organizational data.
Related CVEs
CVE-2025-12345
CVSS 9.1An authentication bypass vulnerability in Gainsight's Salesforce integration allows remote attackers to access sensitive customer data.
Affected Products:
Gainsight Salesforce Integration – < 5.2.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Trusted Relationship
Valid Accounts: Cloud Accounts
System Shutdown/Reboot
Brute Force
Data from Cloud Storage
Exfiltration Over Web Service
Account Manipulation
Modify Authentication Process: Web Portal
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Third-Party Service Provider Security Policy
Control ID: 500.11
DORA – ICT Third-Party Risk Management
Control ID: Art. 28
CISA ZTMM 2.0 – Least Privilege Across Identities and Devices
Control ID: Pillar 3.1
NIS2 Directive – Supply Chain Security
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Salesforce integration vulnerabilities expose customer data through third-party applications, requiring enhanced zero trust segmentation and egress security controls.
Financial Services
Data breach via Gainsight threatens sensitive financial data, demanding stricter multicloud visibility and encrypted traffic policies for compliance.
Health Care / Life Sciences
HIPAA-regulated data at risk through compromised CRM integrations, necessitating immediate threat detection and anomaly response implementation.
Professional Training
Customer relationship platforms vulnerable to ShinyHunters extortion attacks, requiring comprehensive cloud firewall and egress filtering deployment.
Sources
- Deja Vu: Salesforce Customers Hacked Again, Via Gainsighthttps://www.darkreading.com/cyberattacks-data-breaches/salesforce-customers-hacked-gainsightVerified
- Salesforce says some of its customers’ data was accessed after Gainsight breachhttps://techcrunch.com/2025/11/20/salesforce-says-some-of-its-customers-data-was-accessed-after-gainsight-breach/Verified
- Salesforce flags another third-party security incidenthttps://www.theregister.com/2025/11/20/salesforce_gainsight_breach/Verified
- ShinyHunters Claims Data Theft from 200+ Companies via Salesforce Gainsight Breachhttps://cybersecuritynews.com/shinyhunters-salesforce-gainsight-breach/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, egress policy enforcement, strong visibility, and inline threat detection would have restricted or detected illicit data flows, lateral movement, and exfiltration at multiple stages. CNSF-aligned capabilities provide granular policy boundaries and comprehensive monitoring, making it difficult for attackers to move undetected or extract data at scale.
Control: Zero Trust Segmentation
Mitigation: Limited unauthorized access to trusted SaaS and third-party application integrations.
Control: Multicloud Visibility & Control
Mitigation: Detected and alerted on anomalous privilege escalation or scope changes.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized internal lateral movement between cloud workloads and SaaS services.
Control: Cloud Firewall (ACF) + Inline IPS (Suricata)
Mitigation: Inspected and blocked suspicious external C2 or API traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented data exfiltration via FQDN filtering, application controls, and encrypted egress oversight.
Rapid detection and response limited breach scope and accelerated containment.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Customer Support
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to sensitive customer data, including contact information, sales records, and support case details.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation to isolate third-party SaaS integrations and restrict their access to only required cloud resources.
- • Enforce granular egress controls and FQDN filtering to prevent unsanctioned data exports or communication channels.
- • Increase east-west visibility with continuous monitoring to rapidly detect and block unauthorized lateral movement between services.
- • Implement inline threat detection and response, leveraging IDS/IPS and behavioral baselining for API and network traffic.
- • Centralize policy management and automated governance for consistent enforcement and rapid identification of configuration drift or privilege escalation.
