The “ShinyHunters” cybercriminal group is back in headlines for claiming a compromise affecting at least hundreds of Salesforce instances, by abusing tokens associated with Salesforce-connected Gainsight (customer relationship management) applications.
With so many teams focused on ShinyHunters in recent months, we’ve added four Campaigns linked to the group to our knowledge base (and extended another that MITRE added in v18). These are the focus of this week’s update to our curated “Trending & Emerging Threats” Threat Profile.
ShinyHunters and associated operations like Scattered Spider are amorphous entities, and actors/groups often have various levels of direct or indirect involvement in recent campaigns. Our object & Threat Profile curation helps teams pinpoint the relevant threats (and by extension, associated TTPs) to include in their coverage assessments depending on their scope (i.e. actor- vs technology- or platform-centric assessments).
11/25/25: ShinyHunters Recent Campaigns – Spotlight Procedures
Threat-Led Defense commentary: Salesforce recommends customers conduct a comprehensive review of Setup Audit Trail entries, Event Monitoring logs, and API activity records for suspicious attack artifacts, even after OAuth token revocation. More proactively, audit third-party apps connected to Salesforce instances, as well as OAuth tokens, revoking ones for unused applications.
Threat-Led Defense commentary: Implement strong internal verification processes for sensitive requests, mandate MFA for all users, and run regular vishing and phishing simulations and social engineering awareness campaigns.