Google reveals a catastrophic supply-chain breach: 200+ companies hacked through a single Salesforce backdoor. The SaaS ecosystem is on fire.

Continue reading
Google's Threat Intelligence Group (GTIG) has confirmed a catastrophic supply chain attack with a staggering initial scope: data stolen from over 200 companies. The breach vector? Compromised applications from Gainsight, a customer success platform, published on the Salesforce ecosystem.
But this is far more than a single incident. This is the latest, highly sophisticated maneuver in a sustained campaign by the threat collective UNC6240 (tracked by Google), also known as "_Scattered Lapsus$ Hunters."_ This group, which includes members of the infamous ShinyHunters, is systematically targeting the very connective tissue of the modern enterprise: the trusted integrations between SaaS platforms.
The attack demonstrates a chilling understanding of the modern cloud environment. This was not a smash-and-grab; it was a patient, multi-stage operation.
| Phase | Tactic & Technique | Context & Insight |
|---|---|---|
| 1. Initial Access | Compromise of Gainsight (c. August 2025) | The group first breached Gainsight's internal systems nearly three months ago. They allegedly gained this initial foothold through a prior, identical attack on the Salesloft Drift application. This indicates a software supply chain cascade—one breached vendor becomes the stepping stone to the next. |
| 2. Persistence & Weaponization |
> Technical Insight: _"This attack completely bypasses traditional network security controls,"_ explains a senior security engineer at a affected firm (who spoke on condition of anonymity). _"The traffic never hits your firewall. It's a trusted entity inside your perimeter, making authorized API calls to your most sensitive data repository. Your SIEM might see it, but without extremely granular behavioral baselines, it just looks like business as usual."_
Understanding the "who" is key to understanding the "why." UNC6240 is not a typical nation-state actor. Their profile points to a financially motivated cybercrime group with a distinct modus operandi, heavily inspired by the original Lapsus$ group.
Key Adversary Characteristics:
To view the Gainsight breach in isolation is to miss the entire story. It is the second central act in a play that began months ago.
The standard advice of "patch your systems" is meaningless here. The defense requires a fundamental shift in strategy.
Immediate Actions (This Week):
Strategic Shifts (Long-Term):
The Gainsight breach is a watershed moment. It proves that the efficiency and connectivity of the modern SaaS ecosystem have created a systemic risk that we are only beginning to quantify.
The perimeter is no longer your network; it's the sum of all permissions you've granted to every third-party application. The attack surface is no longer your public IP range; it’s the entire OAuth token chain across your digital supply chain.
This incident is a call to action for CISOs and security teams everywhere: The era of trusting third-party integrations by default is over. The era of verified, minimal, and continuously monitored access has begun.
*This is a developing incident. Follow for ongoing technical analysis as more details from forensic investigations become available.*

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.
| Modification of Legitimate Apps |
| From within Gainsight's environment, the actors targeted the company's legitimate applications on the Salesforce AppExchange. By compromising these apps, they turned a tool of business operations into a weapon. |
| 3. Lateral Movement & Privilege Escalation | Abusing OAuth and Trust Relationships | When a company installs a Gainsight app, it grants the app certain permissions (OAuth tokens) to access Salesforce data. The attackers inherited these permissions. The critical failure? Many companies had granted these apps excessive, broad-ranging data access (e.g., "Read/Write All"), far beyond what was necessary for their function. |
| 4. Data Exfiltration | API-Based Data Harvesting | Using the compromised apps' legitimate access, the attackers performed automated, large-scale data queries and exports via Salesforce APIs. Because this traffic came from a trusted, whitelisted source, it was incredibly difficult to distinguish from legitimate business activity. |