ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
Campaign
Summary
Hide ▲
Show ▼
The ShinyHunters (UNC6240) campaign targeting Gainsight-published applications connected to Salesforce is expanding a multi-organization SaaS integration abuse pattern that can expose customer data. The operation is associated with OAuth token abuse and is being linked to earlier Salesloft Drift attacks from August. Claims tied to the same activity say data may have been taken from nearly 1,000 organizations, raising the scale of potential unauthorized access.
Related Happenings
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
ShinyHunters widespread Okta SSO data theft campaign
Campaign
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
**ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
Campaign
First: 10.03.2026 12:00
Last: 10.03.2026 12:00
Sources 1
About this happening:
ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
CampaignAbout this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
Latest development: 16.04.2026 13:35
ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.
Microsoft Entra device code phishing and vishing campaign
Campaign
First: 19.02.2026 14:30
Last: 19.02.2026 14:30
Sources 1
About this happening:
A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Microsoft Entra device code phishing and vishing campaign
CampaignAbout this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Timeline
-
21.11.2025 07:32 2 articles · 6mo ago
Salesforce detects OAuth activity via Gainsight-published apps
Initial DisclosureSalesforce detected unusual activity involving Gainsight-published applications connected to Salesforce and said the app connection may have enabled unauthorized access to certain customers' Salesforce data. Salesforce revoked active access and refresh tokens, temporarily removed the applications from AppExchange, and notified impacted customers. Gainsight also temporarily pulled its app from the HubSpot Marketplace while reviewing OAuth access, and Google Threat Intelligence Group linked the activity to ShinyHunters (aka UNC6240) as part of an emerging campaign associated with earlier Salesloft Drift attacks.
Show sources
- Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity — thehackernews.com — 21.11.2025 07:32
- Gainsight Expands Impacted Customer List Following Salesforce Security Alert — thehackernews.com — 27.11.2025 09:03