GitHub as the Entry Point: One Forgotten Salesloft Token Opened the Doors to Hundreds of Corporations' Data for Hackers
The chain reaction of compromise has gone too far, forcing giants to burn their bridges.
The escalating story around the data leak from the Salesforce ecosystem has taken a new turn after the ShinyHunters group claimed involvement in the incident. The events have been unfolding for several months and have affected multiple services related to CRM platforms, with the scale of the consequences continuing to grow.
According to ShinyHunters representatives, they gained access to Gainsight several months ago, using opportunities that arose after the Drift integration was hacked. At that time, unknown actors breached a Salesloft GitHub account and extracted OAuth tokens used by the third-party service Drift to work with Salesforce. These tokens allowed them to stealthily access data from a large number of corporate clients.
It is reported that during the same campaign, the attackers also breached the Gainsight environment. This service operates as a customer success platform and is connected to Salesforce, HubSpot, and supporting systems like Zendesk. The incident forced the company to engage Google Mandiant specialists to investigate the nature of the activity and the source of the problem. Gainsight claims that the unwanted actions occurred through external application connections and not due to a flaw in the Salesforce platform itself.
In response, Salesforce revoked all active access keys for Gainsight applications and temporarily removed them from the AppExchange catalog. Similar measures were taken by Zendesk and HubSpot, restricting the work of the corresponding connectors until the completion of an internal review. Salesforce representatives refrained from detailed comments but noted that measures were taken promptly.
According to an assessment by Google's Threat Intelligence Group, the attack is linked to the UNC6240 group, known under the name ShinyHunters. The company has recorded over two hundred affected Salesforce instances. The source of the compromise is believed to be stolen OAuth tokens, which gave the attackers access to third-party services and their integrations.
Members of ShinyHunters claim they were testing the level of monitoring in Gainsight systems and that their activity was detected approximately one to two weeks after the initial intrusions began. The group also mentioned seeking accomplices within large companies. Salesforce previously stated that it does not intend to comply with extortionists' demands and will not engage in negotiations.
