Key Takeaways
- Breach Source: ShinyHunters group compromised Gainsight-published apps.
- Impact: Unauthorised access to Salesforce customer data of up to 1,000 firms.
- Root Cause: Stolen credentials/tokens from a previous vendor hack, not a Salesforce vulnerability.
- Mitigation: Salesforce revoked tokens; Gainsight suspended integrations.
The hacking group, ShinyHunters, claims to have breached Gainsight-published apps integrated with Salesforce and accessed data from up to 1,000 firms. The attackers used stolen credentials and compromised tokens to bypass normal authentication and gain unauthorised access to Salesforce customer data via the Gainsight connection.
How did Salesforce respond?
Salesforce confirmed that some customers’ data may have been exposed, though it clarified that the breach stemmed not from a vulnerability in its own platform but from the external Gainsight apps. As a mitigation, Salesforce revoked all active access tokens for the affected Gainsight apps and removed them from its AppExchange.
How was access gained?
According to public claims, ShinyHunters obtained access through a previous hack, involving another vendor, which provided them with secrets that allowed broader access. The group alleges that the breach affected major companies across different industries, including tech firms and large enterprises.
In response, Gainsight has engaged a third party cybersecurity firm to investigate, suspended all integrations via Salesforce, and disabled related connectors (e.g. Zendesk) to prevent further misuse. Many organisations are now forced to audit their integrations, revoke OAuth tokens, and reassess their exposure, especially those relying on third party SaaS supply chain connections.
What does this mean for supply chain security?
The incident underscores broader concerns about the security risks of SaaS supply chain dependencies. When third party apps have broad privileges and rely on tokens or credentials, a breach in the third party may cascade into exposure for all connected customers, bypassing even well-secured platforms.
Incident Response
Thomas Murray’s incident response team is trained to respond quickly and efficiently to incidents and help your business get back on track.
Insights
Schrodinger’s Hack- or How HSBC Was(n’t) Hacked
When a bank is hacked it can quickly generate extensive news coverage. And recent events have shown that even when a bank isn’t hacked it can still generate significant column inches – threatening reputational damage.
Do not go (Micro)softly into that good night: Are we at a technology tipping point?
There’s a strong possibility that we’re now collectively at a technology crossroads in Europe because of a potential move away from Microsoft.
Nursery cyber attack shows there is no honour amongst thieves
The news that a gang of cyber criminals is threatening to publish the details of around 8,000 children is one of the starkest cyber incidents of 2025.
Co-op Reveals £80m Profit Hit: What are the Lessons for UK Retail?
Edward Starkie, a Director in Thomas Murray’s cyber security business, gives his reaction to the latest news from the historic British brand.