Salesforce hit by network compromise
Incident
Summary
Hide ▲
Show ▼
Salesforce revoked refresh tokens and temporarily removed Gainsight-published applications after detecting unusual activity that may have enabled unauthorized access to certain customers' Salesforce data. The issue appears tied to the apps' external connection rather than a flaw in the CRM platform, and the investigation is ongoing. Impacted customers were notified while Salesforce continued containment.
Related Happenings
Optimizely hit by network compromise
Incident
First: 23.02.2026 20:04
Last: 23.02.2026 20:04
Sources 1
About this happening:
**Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Optimizely hit by network compromise
IncidentAbout this happening: **Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Rising encryptionless extortion incidents against enterprises in 2025
Target Trend
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
**Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
Rising encryptionless extortion incidents against enterprises in 2025
Target TrendAbout this happening: **Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
ShinyHunters Salesforce extortion campaign against global companies in 2025
Campaign
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
ShinyHunters Salesforce extortion campaign against global companies in 2025
CampaignAbout this happening: The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...
Gainsight hit by network compromise
Incident
First: 27.11.2025 09:03
Last: 27.11.2025 09:03
Sources 1
About this happening:
Gainsight disclosed a **customer-impacting unauthorized access incident** in its **Salesforce-connected applications**, and the scope has expanded to more customers than first tho...
Gainsight hit by network compromise
IncidentAbout this happening: Gainsight disclosed a **customer-impacting unauthorized access incident** in its **Salesforce-connected applications**, and the scope has expanded to more customers than first tho...
ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
Campaign
First: 21.11.2025 07:32
Last: 21.11.2025 07:32
Sources 1
How related:
In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.
About this happening:
The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...
ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
CampaignHow related: In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.
About this happening: The **ShinyHunters (UNC6240)** campaign targeting **Gainsight-published applications connected to Salesforce** is expanding a multi-organization SaaS integration abuse pattern tha...
Timeline
-
20.11.2025 18:47 2 articles · 6mo ago
Salesforce identifies unusual activity in Gainsight-published applications
Initial DisclosureSalesforce identified unusual activity involving Gainsight-published applications connected to its CRM environment, assessed that the activity may have enabled unauthorized access to certain customers' Salesforce data through the app connection, revoked active access and refresh tokens, temporarily removed the applications from AppExchange, and notified impacted customers.
Show sources
- Salesforce investigates customer data theft via Gainsight breach — www.bleepingcomputer.com — 20.11.2025 18:47
- Gainsight Cyber-Attack Affect More Salesforce Customers — www.infosecurity-magazine.com — 26.11.2025 14:05