CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthorized Data Access via Gainsight-Linked OAuth Activity by Scattered Lapsus$ Hunters

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Salesforce detected unusual activity involving Gainsight-published applications, leading to unauthorized access to customer data. The company revoked all active tokens and removed the apps from AppExchange. The activity is linked to the Scattered Lapsus$ Hunters group, which has claimed responsibility for similar attacks, including a previous breach involving Salesloft Drift. Gainsight has engaged Mandiant for a forensic investigation and disabled connections with Hubspot and Zendesk as a precaution. Organizations are advised to review and revoke tokens for unused or suspicious third-party applications connected to Salesforce.

Timeline

  1. 21.11.2025 12:15 1 articles · 23h ago

    Scattered Lapsus$ Hunters Claim Responsibility and Plan Further Actions

    Scattered Lapsus$ Hunters claimed responsibility for the attack targeting Gainsight. The group plans to launch another dedicated leak site if Salesforce does not comply with their demands. Additionally, they advertised an upcoming ransomware as-a-service (RaaS) offering, allegedly launching on November 24.

    Show sources
    Open in new tab
  2. 21.11.2025 07:32 2 articles · 1d ago

    Salesforce Detects Unauthorized Data Access via Gainsight-Linked OAuth Activity

    Salesforce detected unusual activity related to Gainsight-published applications, leading to unauthorized access to customer data. The company revoked all active tokens and removed the apps from AppExchange. The activity is linked to the Scattered Lapsus$ Hunters group, which has claimed responsibility for similar attacks, including a previous breach involving Salesloft Drift. Gainsight has engaged Mandiant for a forensic investigation and disabled connections with Hubspot and Zendesk as a precaution.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Discord User Data Compromised in Third-Party Breach

Hackers claim to have stolen data from 5.5 million unique Discord users after compromising a third-party customer service provider. The attack occurred on September 20, 2025, affecting users who interacted with Discord’s customer support and/or Trust and Safety teams. The breach appears to be financially motivated, with hackers demanding a ransom. The Scattered Lapsus$ Hunters (SLH) threat group claimed responsibility for the attack, stating they breached a Zendesk instance used by Discord for customer support. The compromised data includes real names, usernames, email addresses, contact details, IP addresses, messages, attachments, photos of government-issued identification documents, partial billing information, and purchase history. Discord took immediate action to isolate the support provider from its ticketing system and launched an investigation with the help of a forensics firm and law enforcement. The hackers also accessed corporate data, including training materials and internal presentations. Discord has notified law enforcement and relevant data protection authorities about the incident. No full credit card numbers, CVV codes, passwords, or authentication data were compromised. Additionally, no messages or activity on Discord outside of communication with customer support were obtained by the attackers.

Open in new tab

Supply Chain Attack on Drift via OAuth Token Theft

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.

Open in new tab

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

Open in new tab

Public exploit for chained SAP NetWeaver flaws enables remote code execution

A new exploit combining two critical vulnerabilities in SAP NetWeaver has been publicly released. The exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution. The flaws were patched in April and May 2025 but were exploited as zero-days since at least March. Multiple threat actors, including ransomware groups and espionage crews, have weaponized these vulnerabilities. The exploit allows unauthenticated attackers to execute arbitrary commands, upload files, and take over affected systems. The exploit was released on a Telegram channel representing Scattered Spider, ShinyHunters, and LAPSUS$. The vulnerabilities can also be reused in other contexts, potentially affecting additional SAP deserialization flaws patched in July 2025. The attack chain involves using CVE-2025-31324 to access critical functionality and then exploiting CVE-2025-42999 to deserialize the payload and execute code with SAP system privileges. Organizations should apply SAP Security Note 3594142 and Security Note 3604119 to protect against this exploit.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The collaboration between **ShinyHunters** and **Scattered Spider** has expanded beyond Salesforce and financial sector attacks, with a new breach targeting **Almaviva**, the IT services provider for Italy’s national railway operator, **FS Italiane Group**. A threat actor claimed to have stolen **2.3TB of data**, including confidential documents, contracts with public entities, HR archives, and datasets from FS Group companies, leaking the information on a dark web forum. Almaviva confirmed the breach, stating it had isolated the attack, activated countermeasures, and engaged Italian authorities, including the national cybersecurity agency and data protection authority. The leaked data, organized by department and company, aligns with tactics used by ransomware groups in 2024–2025 and is confirmed to be recent (Q3 2025). This incident follows a pattern of high-impact attacks by these groups, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and **breaches at Allianz Life, Farmers Insurance, and Workday**, all linked to Salesforce platform exploitation. The groups have employed **social engineering, OAuth token abuse, vishing, and domain spoofing**, often collaborating under the umbrella of **The Com**, a broader cybercriminal collective. Despite arrests—such as **Scattered Spider members Owen Flowers and Thalha Jubair in the U.K.**—and shutdown announcements, the groups have continued operations, targeting sectors like **financial services, aviation, and now critical infrastructure (rail transport)**. Authorities, including the **FBI and U.K. NCA**, have issued alerts and conducted arrests, but the threat persists with evolving tactics and new victims.

Open in new tab