Overview
- Salesforce detected unusual activity tied to Gainsight‑published apps, revoked all related access and refresh tokens, and delisted the apps from the AppExchange while notifying affected customers.
- Google’s Threat Intelligence Group says it is aware of more than 200 potentially affected Salesforce instances and assesses the campaign as likely linked to the ShinyHunters/UNC6240 cluster.
- ShinyHunters and affiliated actors have claimed responsibility and are threatening extortion, asserting they obtained data from many organizations across the Salesloft and Gainsight campaigns.
- Gainsight reports API calls from non‑whitelisted IPs via its Connected App, has engaged Mandiant for an independent forensic investigation, and has temporarily disabled its HubSpot and Zendesk connectors as a precaution.
- Gainsight says three customer orgs are currently known to be impacted as investigations continue, and responders advise all customers to audit third‑party integrations, revoke unused or suspicious tokens, and rotate credentials.