Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps

Campaign
First reported
Last updated
Happening score
H score 19
1 unique sources, 2 articles

Summary

Hide ▲

The ShinyHunters (UNC6240) campaign targeting Gainsight-published applications connected to Salesforce is expanding a multi-organization SaaS integration abuse pattern that can expose customer data. The operation is associated with OAuth token abuse and is being linked to earlier Salesloft Drift attacks from August. Claims tied to the same activity say data may have been taken from nearly 1,000 organizations, raising the scale of potential unauthorized access.

Related Happenings

Klue Battlecards app Salesforce customer data leak

Data Leak
H score41 First: 19.06.2026 12:03 Last: 19.06.2026 12:03 Sources 1

About this happening: A **Klue**-related **Salesforce** data leak on **June 12** exposed customer records after an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue...

Latest development: 20.06.2026 01:31

Icarus publicly claimed responsibility on its data leak site for the Klue-related Salesforce data theft and pressured Klue and affected organizations to contact the group through Session to avoid publication of stolen data. The same campaign was also tied to additional victims including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, with most reporting theft from Salesforce instances rather than compromise of their core platforms or infrastructure.

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
H score65 First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

ShinyHunters widespread Okta SSO data theft campaign

Campaign
H score43 First: 03.04.2026 20:41 Last: 03.04.2026 20:41 Sources 1

About this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
H score31 First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

ShinyHunters Salesforce Experience Cloud misconfiguration campaign

Campaign
H score87 First: 10.03.2026 12:00 Last: 10.03.2026 12:00 Sources 1

About this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...

Latest development: 16.04.2026 13:35

ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.

Timeline

  1. 21.11.2025 07:32 2 articles · 7mo ago

    Salesforce detects OAuth activity via Gainsight-published apps

    Initial Disclosure

    Salesforce detected unusual activity involving Gainsight-published applications connected to Salesforce and said the app connection may have enabled unauthorized access to certain customers' Salesforce data. Salesforce revoked active access and refresh tokens, temporarily removed the applications from AppExchange, and notified impacted customers. Gainsight also temporarily pulled its app from the HubSpot Marketplace while reviewing OAuth access, and Google Threat Intelligence Group linked the activity to ShinyHunters (aka UNC6240) as part of an emerging campaign associated with earlier Salesloft Drift attacks.

    Show sources