ShinyHunters / UNC6240 OAuth token campaign targeting Gainsight-published Salesforce apps
Campaign
Summary
Hide ▲
Show ▼
The ShinyHunters (UNC6240) campaign targeting Gainsight-published applications connected to Salesforce is expanding a multi-organization SaaS integration abuse pattern that can expose customer data. The operation is associated with OAuth token abuse and is being linked to earlier Salesloft Drift attacks from August. Claims tied to the same activity say data may have been taken from nearly 1,000 organizations, raising the scale of potential unauthorized access.
Related Happenings
Klue Battlecards app Salesforce customer data leak
Data Leak
H score41
First: 19.06.2026 12:03
Last: 19.06.2026 12:03
Sources 1
About this happening:
A **Klue**-related **Salesforce** data leak on **June 12** exposed customer records after an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue...
Klue Battlecards app Salesforce customer data leak
Data LeakAbout this happening: A **Klue**-related **Salesforce** data leak on **June 12** exposed customer records after an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue...
Latest development: 20.06.2026 01:31
Icarus publicly claimed responsibility on its data leak site for the Klue-related Salesforce data theft and pressured Klue and affected organizations to contact the group through Session to avoid publication of stolen data. The same campaign was also tied to additional victims including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, with most reporting theft from Salesforce instances rather than compromise of their core platforms or infrastructure.
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
H score65
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
ShinyHunters widespread Okta SSO data theft campaign
Campaign
H score43
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
**ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
H score31
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
Campaign
H score87
First: 10.03.2026 12:00
Last: 10.03.2026 12:00
Sources 1
About this happening:
ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
CampaignAbout this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
Latest development: 16.04.2026 13:35
ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.
Timeline
-
21.11.2025 07:32 2 articles · 7mo ago
Salesforce detects OAuth activity via Gainsight-published apps
Initial DisclosureSalesforce detected unusual activity involving Gainsight-published applications connected to Salesforce and said the app connection may have enabled unauthorized access to certain customers' Salesforce data. Salesforce revoked active access and refresh tokens, temporarily removed the applications from AppExchange, and notified impacted customers. Gainsight also temporarily pulled its app from the HubSpot Marketplace while reviewing OAuth access, and Google Threat Intelligence Group linked the activity to ShinyHunters (aka UNC6240) as part of an emerging campaign associated with earlier Salesloft Drift attacks.
Show sources
- Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity — thehackernews.com — 21.11.2025 07:32
- Gainsight Expands Impacted Customer List Following Salesforce Security Alert — thehackernews.com — 27.11.2025 09:03