Deep Dive Security Assessment: The Gainsight-Salesforce Supply Chain Compromise and the ShinyHunters Extortion Campaign

Table of Contents

• Executive Summary of the Incident
• Technical Details and Attack Vector Analysis
  • The OAuth Exploitation Mechanism
  • The Supply Chain Cascade: Salesloft to Gainsight
  • Data Exposure and Blast Radius
• Institutional Response and Investigation Status
  • Salesforce's "Scorched Earth" Containment
  • Gainsight's Operational and Forensic Response
  • The Forensic "Blind Spot": Critique of Token Deletion
  • Current Investigation Status
• Threat Actor Claims and Extortion
  • Profile of "Scattered Lapsus$ Hunters"
  • Extortion Mechanics and the Data Leak Site
  • Institutional Resistance
• Recommended Mitigation and Security Lessons
  • Immediate Tactical Mitigation
  • Strategic Security Lessons: Identity is the New Perimeter
  • Conclusion

Executive Summary of the Incident

On November 19, 2025, the global cybersecurity landscape witnessed a significant escalation in SaaS supply-chain threats when Salesforce issued a security advisory regarding "unusual activity" associated with applications published by Gainsight, a leading customer success platform. This incident represents a sophisticated downstream compromise where threat actors, identified as the ShinyHunters collective (operating under the moniker "Scattered Lapsus$ Hunters"), weaponized trusted third-party integrations to bypass traditional perimeter defenses and infiltrate Salesforce customer environments.

The investigation, conducted jointly by Salesforce, Gainsight, and forensic firm Mandiant, determined that the core cause of the breach was not a vulnerability within the Salesforce platform itself, but rather the exploitation of valid OAuth tokens associated with Gainsight's external connection to Salesforce. These tokens, which serve as digital keys authorizing the automated exchange of data between the two platforms, were reportedly compromised via secrets stolen during a preceding attack on Salesloft Drift in August 2025. This "daisy-chain" attack methodology highlights the compounding risk of interconnected SaaS ecosystems, where a breach in one vendor (Salesloft) can cascade through another (Gainsight) to target the ultimate repository of customer data (Salesforce).

In a move characterizing the severity of the threat, Salesforce executed an immediate and comprehensive mitigation strategy by revoking all active access and refresh tokens linked to Gainsight-published applications and temporarily removing these applications from the AppExchange marketplace. While this "kill switch" effectively severed the attackers' persistent access to customer environments, it simultaneously disrupted business operations for organizations relying on Gainsight's services and ignited a debate within the cybersecurity community regarding the preservation of forensic evidence.

The scope of the incident remains a point of contention between official vendor statements and threat actor claims. While Gainsight initially confirmed impact to a limited number of organizations—specifically citing three known compromised entities—and Salesforce notified a subset of affected customers, the threat actors have claimed access to approximately 285 Salesforce instances via the Gainsight vector. When aggregated with the earlier Salesloft campaign, the attackers assert possession of data from nearly 1,000 companies, including major Fortune 500 entities. This report provides an exhaustive analysis of the technical attack vectors, the institutional response, the threat actor's extortion tactics, and the strategic imperatives for securing the "new perimeter" of digital identity.

Technical Details and Attack Vector Analysis

The technical execution of the Gainsight-Salesforce compromise serves as a paradigm for modern SaaS supply-chain attacks. Unlike traditional breaches that rely on zero-day exploits or code injection vulnerabilities within a target's infrastructure, this campaign exploited the trust architecture of the SaaS ecosystem itself. The attack leveraged the OAuth protocol—the industry standard for authorization—to turn legitimate integration features into conduits for unauthorized data exfiltration.

The OAuth Exploitation Mechanism

The forensic consensus, supported by statements from both Salesforce and Gainsight, indicates that the malicious activity originated from the application's external connection rather than a flaw in the Salesforce CRM platform. The mechanism of action relied on the theft and abuse of OAuth tokens.

In a standard Salesforce-Gainsight integration, an administrator grants the Gainsight application permission to access specific data fields within Salesforce. This authorization generates an OAuth token (an access token and a refresh token). The access token allows the application to read or write data, while the refresh token allows the application to generate new access tokens without requiring the user to re-authenticate.

The attack proceeded through the following technical stages:

Token Acquisition: Threat actors obtained valid OAuth tokens or the secrets necessary to generate them. Reports indicate these secrets were harvested from support case data or other repositories compromised during the earlier Salesloft Drift breach.

Authentication Bypass: Possessing these tokens allowed the attackers to impersonate the Gainsight application. Because the tokens were valid, the attackers could bypass standard user authentication measures, including Multi-Factor Authentication (MFA) and Single Sign-On (SSO) controls that would normally protect a user's direct login.

API Exploitation: The attackers utilized the compromised tokens to make API calls to Salesforce instances. Gainsight's internal investigation revealed that the breach was detected when these API calls were observed originating from non-whitelisted IP addresses, indicating that the traffic was coming from the attacker's infrastructure rather than Gainsight's trusted servers.

Persistence and Lateral Movement: The attackers reportedly used the stolen credentials to issue refresh tokens for up to 285 Salesforce instances. This allowed them to maintain persistent access even if the initial access tokens expired, necessitating the eventual mass revocation by Salesforce to break the chain.

The Supply Chain Cascade: Salesloft to Gainsight

A critical finding in the analysis is the intricate linkage between this incident and the compromise of Salesloft Drift in August 2025. The Gainsight breach was not an isolated event but a secondary shockwave resulting from a previous primary impact.

The Salesloft Drift Precursor: In mid-August 2025, the threat group (identified as UNC6395 or ShinyHunters) compromised Salesloft's GitHub account. This initial foothold, which may have been established as early as March, allowed the actors to lurk undetected in the Salesloft development environment. From this vantage point, they stole OAuth tokens and AWS access keys associated with the Salesloft Drift integration.

The Pivot to Gainsight: Among the victims of the Salesloft Drift breach was Gainsight itself. The threat actors utilized the credentials stolen from Salesloft to compromise Gainsight's own environment. Specifically, reports suggest the attackers accessed "support-case data" which contained secrets or tokens that facilitated the subsequent attack on Gainsight's customers. This effectively created a two-hop supply chain attack:

• Hop 1: Attackers compromise Salesloft Drift (via GitHub)
• Hop 2: Attackers use Salesloft-derived access to compromise Gainsight (via support data/tokens)
• Target: Attackers use Gainsight-derived access to infiltrate Salesforce customer instances

Data Exposure and Blast Radius

The objective of the campaign appears to have been widespread data exfiltration for the purpose of extortion. The nature of the data accessible through the Gainsight integration is sensitive, pertaining to customer success and relationship management.

Types of Data Exposed: The compromise potentially exposed a breadth of business-critical information. According to reports on the prior Salesloft breach (which shares the same vector), and specific details regarding the Gainsight incident, the accessed data included:

• Business Contact Information: Names, business email addresses, and phone numbers
• Operational Data: Location details, licensing information, and support-case records
• CRM Data: The integration's purpose is to sync customer health data, meaning any data points configured to flow between Salesforce and Gainsight—such as contract values, renewal dates, and customer sentiment scores—were theoretically accessible

Quantifying the Impact: There is a significant divergence regarding the number of impacted entities.

The Vendor View: Gainsight stated that "at the moment only three orgs are known to be impacted" and that the compromise was limited to the "Gainsight CS" product. They asserted that each compromised token was "scoped to a single customer".

The Threat Intelligence View: Researchers from the Google Threat Intelligence Group (GTIG) stated they were aware of "more than 200 potentially affected Salesforce instances".

The Threat Actor View: The ShinyHunters group claimed to have used the stolen tokens to access roughly 285 additional Salesforce instances via the Gainsight vector alone.

This discrepancy suggests that while the potential for compromise was high (hundreds of instances), the actual deep exfiltration might have been limited to a smaller subset before Salesforce's containment measures took effect. Alternatively, the forensic visibility might be limited due to the rapid token revocation, leaving vendors with an incomplete picture compared to the attackers' claims.

Institutional Response and Investigation Status

The response to the Gainsight incident was characterized by a rapid, aggressive containment strategy from Salesforce, followed by a complex forensic investigation involving multiple stakeholders. The immediate priority was the cessation of unauthorized access, even at the cost of operational continuity and forensic granularity.

Salesforce's "Scorched Earth" Containment

On November 19, 2025, at approximately 7:57 PM PST, Salesforce issued a security advisory acknowledging the unusual activity. Recognizing the severity of the OAuth abuse, Salesforce opted for a "kill switch" approach.

Token Revocation: Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications. This action instantly invalidated the credentials the attackers were using, effectively locking them out of customer environments. This decision reflects a prioritization of immediate containment over the "wait and see" approach often used in less critical incidents.

AppExchange Removal: Concurrently, Salesforce temporarily removed the Gainsight applications from the AppExchange marketplace. This prevented new customers from installing the compromised versions and stopped existing customers from inadvertently re-authorizing the application during the active threat window.

Customer Notification: Salesforce initiated direct communication with known affected customers. The company emphasized that the issue was external to the Salesforce platform, framing the response as a protective measure against a third-party compromise.

Gainsight's Operational and Forensic Response

Following Salesforce's intervention, Gainsight acknowledged widespread "connection failures" for its SFDC Connector, confirming that the disruption was a result of the security incident.

Third-Party Forensic Engagement: Gainsight engaged Mandiant, a premier incident response firm owned by Google Cloud, to conduct an independent forensic investigation. This collaboration aimed to validate the root cause, determine the full scope of the compromise, and certify the environment for service restoration.

Precautionary Cross-Platform Blocks: Demonstrating an abundance of caution, Gainsight extended its containment measures beyond Salesforce. The company disabled its connections with other major platforms, including HubSpot and Zendesk. Gainsight explicitly stated that "no suspicious activity related to Hubspot has been observed at this point," describing these steps as purely precautionary to prevent any potential lateral movement to or from other SaaS ecosystems.

Service Restoration Protocol: Gainsight adopted a strict stance on restoration, stating they would not restore API access until the environment was "fully cleared." The company indicated plans to move to a "packaged version" of the Connected App to ensure a clean and secure reset for all customers, requiring manual re-authorization once services resumed.

The Forensic "Blind Spot": Critique of Token Deletion

While Salesforce's decision to revoke and delete tokens was effective for containment, it drew criticism from cybersecurity experts regarding its impact on forensic visibility.

Destruction of Audit Trails: Brian Soby, CTO and co-founder of AppOmni, provided a critical analysis of this action. He noted, "Salesforce has stated that it deleted tokens issued to Gainsight. While well-intentioned, that action also removed the records customers rely on to determine which of their users had granted OAuth access to Gainsight, which is the first step in conducting a proper investigation".

Investigative Hindrance: The deletion of tokens essentially wiped the "Connected Apps OAuth Usage" logs visible to customers. Without these records, security teams faced significant challenges in:

• Identifying which specific users had authorized the app
• Determining the timeline of when permissions were granted
• Auditing the scope of access that had been active prior to revocation

This action forced customers to rely almost exclusively on Salesforce and Gainsight for impact assessments, as their own internal visibility into the integration's history was degraded. While Salesforce maintains internal back-end logs, the customer-facing transparency was compromised by the remediation tactic.

Current Investigation Status

As of the latest updates available:

• Forensic Analysis: The investigation is ongoing, with Gainsight, Salesforce, and Mandiant jointly reviewing security layers
• Timeline for Restoration: Gainsight has not provided a firm timeline, noting that investigations "will take a few days." They have committed to sharing a complete timeline of events only after the investigation concludes
• Technical Support: Gainsight is providing IP ranges and subnets via support tickets to help customers differentiate between legitimate historical traffic and the attacker's non-whitelisted IP activity

Threat Actor Claims and Extortion

The driving force behind this campaign is a notorious cybercriminal collective known as ShinyHunters, which has recently adopted a more aggressive and consolidated brand identity involving "Scattered Spider" and "Lapsus$." Their operations exhibit a shift from covert data theft to overt, high-pressure extortion.

Profile of "Scattered Lapsus$ Hunters"

The threat group has rebranded itself in communications as the "Scattered Lapsus$ Hunters" (SLH) or the "Trinity of Chaos," claiming to be a unification of the ShinyHunters, Scattered Spider, and Lapsus$ groups.

Tactical Evolution:

SaaS Specialization: The group has demonstrated a high degree of proficiency in targeting SaaS environments (Salesforce, Snowflake, AWS) by exploiting the identity layer rather than software vulnerabilities.

Social Engineering: They are known for sophisticated "voice phishing" (vishing) campaigns and the impersonation of IT staff to trick employees into installing malicious tools or granting access.

Supply Chain Focus: The group explicitly targets trusted third-party vendors (like Salesloft and Gainsight) to aggregate victims, describing their strategy as "specializing in high-value corporate data acquisition and strategic breach operations".

Psychological Warfare: The group utilizes psychological tactics to pressure victims and gain notoriety. They have launched a Telegram channel to taunt cybersecurity vendors and researchers, posting screenshots of alleged compromises to validate their claims. Their communications often mock the security industry, positioning themselves as a dominant force that generates higher revenue than established ransomware groups like Qilin or Cl0p.

Extortion Mechanics and the Data Leak Site

The group's business model relies on the threat of data exposure to compel payment.

The Leak Site (DLS): The group operates a data leak site on the Tor network where they list non-compliant victims. They have threatened to launch a specific "dedicated leak site" for the Salesloft and Gainsight campaigns if Salesforce does not comply with their demands.

Volume of Stolen Data: The actors claim the combined data theft from the Salesloft and Gainsight campaigns affects nearly 1,000 organizations and encompasses 1.5 billion records. Specific to the Gainsight vector, they claim access to ~285 instances.

Targeted Victims: The group has explicitly named several Fortune 500 companies as victims of the Gainsight campaign, including Verizon, GitLab, F5, and SonicWall. They stated that "Only actual companies, mainly Fortune 500 will be listed or things I feel would be worth it," indicating a strategic focus on high-value targets to maximize leverage.

Ransomware-as-a-Service (RaaS): In a disturbing escalation, the group advertised an upcoming Ransomware-as-a-Service offering, allegedly scheduled for launch on November 24, 2025. This suggests a move to commoditize their access methods and scale their operations by franchising their infrastructure to other criminals.

Institutional Resistance

Salesforce has adopted an unyielding stance against the extortion attempts.

Refusal to Negotiate: A Salesforce spokesperson categorically stated, "I can confirm Salesforce will not engage, negotiate with or pay for any extortion demand". This refusal aligns with law enforcement guidance but risks the public release of the stolen data.

Disputing the Narrative: Salesforce and the targeted companies have sought to control the narrative by emphasizing that the platform itself remains secure. By isolating the issue to the "external connection" of specific apps, they attempt to delegitimize the attackers' broader claims of "hacking Salesforce".

Recommended Mitigation and Security Lessons

The Gainsight-Salesforce incident serves as a critical case study in the "new perimeter" security paradigm. With identity and integration tokens replacing firewalls as the primary defensive boundary, organizations must adopt proactive mitigation strategies.

Immediate Tactical Mitigation

For organizations potentially affected by the Gainsight compromise, the following steps are mandatory to ensure environmental integrity.

1. Inventory and Verification:

• Action: Navigate to Salesforce Setup > Third Party > Connected Apps. Although Salesforce has removed the apps, administrators must verify that no residual configurations or "shadow" integrations remain
• Objective: Confirm the complete removal of the Gainsight connection and identify any other unrecognized third-party apps

2. Credential Rotation (Critical):

• Action: Rotate all sensitive credentials that were accessible to the Gainsight integration. This is not limited to the revoked OAuth tokens. It must include API keys, integration passwords, service account credentials, and any secrets embedded in custom objects or fields that the integration could read
• Context: If the integration had read access to fields storing other system passwords (e.g., an AWS key stored in a custom field), those downstream systems are now at risk

3. Log Analysis and Anomaly Detection:

• Action: Review Salesforce "Login History" and "Event Monitoring" logs
• Specific Indicators: Search for API calls originating from non-whitelisted IP addresses or unusual Bulk API data export activities during the window preceding November 19
• Constraint: Be aware that the "Connected Apps OAuth Usage" history may be incomplete due to Salesforce's token deletion. Focus on raw event logs

4. Least Privilege Enforcement:

• Action: When re-integrating Gainsight (or any app), rigorously review the requested OAuth scopes
• Objective: Ensure the application requests only the minimum necessary permissions. Reject "Full Access" scopes unless absolutely justified by the use case

Strategic Security Lessons: Identity is the New Perimeter

This incident validates the industry consensus that the traditional network perimeter is obsolete.

The Rise of SSPM: Organizations must implement SaaS Security Posture Management (SSPM) solutions. As demonstrated by AppOmni and Obsidian Security, manual audits are insufficient to detect the subtle "policy drift" and "over-permissioning" that attackers exploit. Automated monitoring is required to detect when an integration's behavior deviates from the baseline.

Supply Chain Risk Management: The daisy-chain nature of this attack (Salesloft → Gainsight → Customer) highlights that a vendor's security is only as robust as their own supply chain. Security assessments of third-party vendors must now include deep inquiries into how they secure their own development environments (e.g., GitHub) and how they manage secrets for their own integrations.

The "Kill Chain" in SaaS: Salesforce's rapid revocation demonstrated the effectiveness of breaking the kill chain at the token level. However, it also highlighted the need for better forensic readiness. Future SaaS platforms should ideally support "suspension" or "quarantine" of tokens—preserving the audit trail—rather than immediate deletion, to balance containment with forensic necessity.

Conclusion

The compromise of Gainsight-connected Salesforce instances is a stark reminder of the fragility inherent in the hyper-connected SaaS ecosystem. While Salesforce's decisive action to revoke tokens likely averted a more catastrophic data loss event, the incident exposes the sophisticated capability of threat groups like ShinyHunters to navigate the "invisible connections" between trusted vendors. As organizations continue to rely on integrated SaaS stacks, the assumption of trust must be replaced by a regime of continuous verification, rigorous least-privilege scoping, and automated anomaly detection. The identity layer is now the frontline; defending it requires the same vigilance previously afforded to the network edge.

---