A sophisticated supply chain attack has compromised sensitive data across hundreds of organizations after threat actors exploited the trusted integration between customer success platform Gainsight and CRM leader Salesforce. More than 200 companies may be affected.
The cybercriminal group ShinyHunters has claimed responsibility, marking this as one of the most impactful SaaS-based intrusions of 2025.
How the Attack Happened: Stolen OAuth Tokens, Not a Salesforce Breach
Short-tail SEO keywords: Salesforce breach, Gainsight hack, OAuth token attack, ShinyHunters
Long-tail SEO keywords: Salesforce OAuth compromise 2025, Gainsight Salesforce integration breach, third-party SaaS supply chain attack, OAuth token theft in cloud apps
Rather than breaching Salesforce directly, attackers exploited the trusted connection established by Gainsight applications via OAuth.
On November 20, 2025, Salesforce detected unusual activity and took emergency containment steps, disabling all connections from Gainsight-published apps.
According to Salesforce, unauthorized access occurred through the external integration—not from any flaw in its own platform.
Why OAuth Tokens Are the Perfect Target
The Google Threat Intelligence Group, supported by researchers from Mandiant, confirmed the attackers used compromised OAuth tokens to impersonate trusted integrations.
OAuth tokens act as digital access keys that allow apps to communicate without requiring constant logins. When stolen, threat actors can:
- Bypass MFA
- Evade traditional login detection
- Access or exfiltrate sensitive corporate data
- Move laterally between cloud services undetected
This tactic mirrors similar SaaS supply chain attacks involving tools like Salesloft and Drift.
Impact: 200+ Organizations Potentially Compromised
Affected companies may experience unauthorized data access where attackers leveraged Gainsight’s integration permissions to perform:
- Reconnaissance
- Data exfiltration
- Multi-tenant environment probing
- Credential harvesting
Salesforce and Mandiant are actively notifying impacted customers.
As of now, Gainsight integrations remain disabled globally until further notice.
Critical Warning for SaaS Administrators
This incident highlights a growing cybersecurity reality:
Identity and token theft has become more dangerous than exploiting software vulnerabilities.
Organizations using interconnected SaaS platforms should act immediately.
Immediate Actions Recommended
1. Audit All Connected Apps in Salesforce
Remove unused or suspicious integrations immediately.
2. Revoke OAuth Tokens
Especially for Gainsight or any integrations showing anomalous activity.
3. Rotate Credentials
Assume compromise if unusual access patterns are observed.
4. Monitor Official Advisories
Expect ongoing updates from both Salesforce and Gainsight.
5. Implement Continuous Third-Party Access Reviews
Many companies grant wide SaaS permissions that are never revisited.
Indicators of Compromise (IoCs)
Below is the table of confirmed IoCs linked to the ShinyHunters campaign against Gainsight–Salesforce integrations.
| IOC Type | Value | First Seen (UTC) | Last Seen (UTC) | Activity |
|---|---|---|---|---|
| IP Address | 104.3.11[.]1 | 2025-11-08 13:11:29 | 2025-11-08 13:15:23 | AT&T IP; reconnaissance & unauthorized access |
| IP Address | 198.54.135[.]148 | 2025-11-16 21:48:03 | 2025-11-16 21:48:03 | Mullvad VPN; reconnaissance & unauthorized access |
| IP Address | 198.54.135[.]197 | 2025-11-16 22:00:56 | 2025-11-16 22:06:57 | Mullvad VPN proxy; reconnaissance |
| IP Address | 198.54.135[.]205 | 2025-11-18 10:43:55 | 2025-11-18 12:09:35 | Mullvad VPN proxy; unauthorized access |
| IP Address | 146.70.171[.]216 | 2025-11-18 20:21:48 | 2025-11-18 20:50:13 | Mullvad VPN proxy |
| IP Address | 169.150.203[.]245 | 2025-11-18 20:54:02 | 2025-11-18 23:04:12 | Surfshark VPN proxy |
| IP Address | 172.113.237[.]48 | 2025-11-18 21:23:29 | 2025-11-18 21:51:32 | NSocks VPN proxy |
| IP Address | 45.149.173[.]227 | 2025-11-18 22:05:15 | 2025-11-18 22:05:18 | Surfshark VPN proxy |
| IP Address | 135.134.96[.]76 | 2025-11-19 08:26:18 | 2025-11-19 10:30:37 | IProxyShop VPN |
| IP Address | 65.195.111[.]21 | 2025-11-19 10:57:37 | 2025-11-19 10:59:19 | IProxyShop VPN |
| IP Address | 65.195.105[.]81 | 2025-11-19 11:17:51 | 2025-11-19 11:48:07 | Nexx VPN |
| IP Address | 65.195.105[.]153 | 2025-11-19 12:23:17 | 2025-11-19 12:23:35 | ProxySeller VPN |
| IP Address | 45.66.35[.]35 | 2025-11-19 12:47:43 | 2025-11-19 12:47:45 | Tor proxy |
| IP Address | 146.70.174[.]69 | 2025-11-19 12:47:49 | 2025-11-19 12:47:49 | Proton VPN |
| IP Address | 82.163.174[.]83 | 2025-11-19 14:30:36 | 2025-11-19 22:26:46 | ProxySeller VPN |
| IP Address | 3.239.45[.]43 | 2025-10-23 00:17:22 | 2025-10-23 00:45:36 | AWS IP; reconnaissance via compromised tokens |
| User Agent | python-requests/2.28.1 | 2025-11-08 13:11:19 | 2025-11-08 13:15:01 | Not a Gainsight app UA; suspicious |
| User Agent | python-requests/2.32.3 | 2025-11-16 21:48:03 | 2025-11-16 21:48:03 | Unauthorized UA |
| User Agent | python/3.11 aiohttp/3.13.1 | 2025-10-23 00:00:00 | 2025-10-23 00:01:00 | Unrecognized UA pattern |
| User Agent | Salesforce-Multi-Org-Fetcher/1.0 | 2025-11-18 22:05:13 | 2025-11-19 22:24:01 | Used by attackers; seen in similar campaigns |
Conclusion
The Gainsight–Salesforce OAuth breach underscores a critical truth: third-party SaaS integrations are now one of the weakest links in enterprise security. As attackers continue targeting identity tokens instead of platform vulnerabilities, organizations must make continuous SaaS access governance a core part of their cybersecurity strategy.
