Salesforce recently disclosed a new third-party data breach, which security experts believe is connected to the notorious ShinyHunters hacking group. This incident involves suspicious activity linked to Gainsight-published applications that were installed and managed directly by Salesforce customers. According to Austin Larsen, a principal analyst with Google Threat Intelligence Group, the activity is likely related to UNC6240 (also known as ShinyHunters), and threat hunters are aware of over 200 potentially affected Salesforce instances. The CRM giant acknowledged in a security advisory that this activity “may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection.”
Following the detection of the activity, Salesforce quickly moved to mitigate the threat. A company spokesperson, Allen Tsai, confirmed that Salesforce revoked all active access and refresh tokens associated with the compromised Gainsight-published applications and temporarily removed them from the AppExchange while the investigation is ongoing. Tsai declined to provide specific details about the breach, such as the total number of compromised customers, but stated that all affected parties have been notified. He emphasized that the issue did not result from any vulnerability within the core Salesforce platform itself, but rather appeared to be linked to the application’s external connection to the platform.
Although Salesforce has refrained from publicly naming a specific threat group, Google’s threat intelligence analysis strongly points to ShinyHunters. This is the same cybercriminal entity responsible for the earlier breach of the SalesLoft’s Drift application this year, which resulted in the theft of OAuth tokens used to gain access to numerous organizations’ Salesforce instances. Larsen noted on LinkedIn that the Google Threat Intelligence Group (GTIG) has observed actors tied to ShinyHunters compromising third-party OAuth tokens to potentially gain unauthorized access to customer instances.
Google’s Mandiant incident response team is actively collaborating with Salesforce to ensure all potentially affected organizations are properly notified. Larsen used this incident as a critical warning for all companies, urging them to immediately “audit their SaaS environments.” This recommended security hygiene includes conducting regular and thorough reviews of all third-party applications that are connected to their Salesforce instances to ensure their safety and necessity.
Furthermore, the Google analyst advised organizations to take proactive measures, such as investigating and immediately revoking tokens for any applications that are unused or appear suspicious. Should any anomalous activity be detected within their systems, companies are strongly advised to “rotate the credentials immediately” to prevent further unauthorized access and potential data exfiltration.
Reference:
