Nov 2025 Breach Report: 1,000 Companies Hit by ShinyHunters

Attack Overview:
• Threat Actor: ShinyHunters (notorious hacking group behind LinkedIn 2021 breach, Facebook 2021 leak)
• Attack Vector: Compromised Salesforce apps published by Gainsight
• Victims: Close to 1,000 companies using affected Gainsight apps
• Data Stolen: Customer data, employee records, business analytics, CRM data
• Discovery Date: November 20, 2025 (Salesforce confirmed investigation)
• Estimated Impact: Potentially hundreds of millions of records

How the Attack Worked:

Gainsight, a customer success platform, publishes multiple apps on the Salesforce AppExchange marketplace. These apps integrate deeply with Salesforce CRM systems to provide customer analytics, product usage tracking, and success metrics. ShinyHunters exploited vulnerabilities in these third-party apps to gain unauthorized access to Salesforce customer data across hundreds of organizations.

The supply chain attack mechanism:

Step 1: Compromise Gainsight Apps
• ShinyHunters identified security flaws in Gainsight's Salesforce apps
• Vulnerabilities allowed unauthorized API access to connected Salesforce orgs
• Apps had overly permissive data access scopes

Step 2: Lateral Access Across Customers
• Once inside Gainsight's app infrastructure, attackers pivoted to customer Salesforce instances
• Exploited OAuth tokens and API keys to access CRM data
• Automated data exfiltration across hundreds of connected organizations

Step 3: Mass Data Theft
• Stole customer contact information, sales pipeline data, support tickets
• Accessed employee records, organizational charts, business intelligence
• Exfiltrated data without triggering Salesforce security alerts (apps had legitimate access permissions)

Confirmed Victims (Partial List):

Financial Services:
• Allianz Life: Insurance giant, customer policyholder data potentially exposed
• TransUnion: Credit bureau, ironic victim given their role in protecting consumer credit data

Technology Companies:
• Google: Specific data stolen unclear, likely sales/customer success data
• Cloudflare: Security company breach highlights supply chain risk
• Bugcrowd: Bug bounty platform, potentially researcher data exposed
• Proofpoint: Cybersecurity vendor, embarrassing breach for security-focused company

Transportation:
• Qantas: Australian airline, passenger data and loyalty program information at risk
• Stellantis: Automotive conglomerate (Jeep, Ram, Chrysler), customer and dealer data

Luxury Brands:
• Kering: Fashion conglomerate (Gucci, Saint Laurent, Balenciaga)
• Dior: Luxury fashion house, high-net-worth customer data exposed

Why This Breach Is Unprecedented:

1. Scale: Nearly 1,000 organizations compromised through a single attack vector 2. Stealth: Apps had legitimate access, so data exfiltration didn't trigger security alerts 3. Trust Exploitation: Salesforce AppExchange is trusted marketplace, users assume apps are secure 4. Supply Chain Cascade: One vendor's vulnerability compromised hundreds of downstream customers

Salesforce's Response:

Salesforce issued a statement on November 20, 2025:

"We are investigating reports that certain customer data was accessed through apps published by Gainsight on the AppExchange. We are working closely with Gainsight to understand the scope and have disabled affected apps as a precautionary measure. We recommend customers review their app permissions and audit recent data access logs."

What Remains Unknown:
• Exact number of affected organizations (ShinyHunters claims "close to 1,000")
• Total volume of records stolen (estimates range from 100M to 500M+ records)
• Whether attackers had access for days, weeks, or months before detection
• If other Salesforce third-party apps are similarly vulnerable
• Whether stolen data has been sold on dark web markets (not yet observed as of Nov 21)

Immediate Actions for Salesforce Customers:

1. Audit Installed Apps (TODAY):
• Navigate to Setup > Apps > Installed Packages
• Identify all Gainsight apps and extensions
• Review data access permissions for ALL third-party apps
• Disable any apps not actively used

2. Review Access Logs:
• Setup > Security > Login History: Check for suspicious API access
• Setup > Security > Event Monitoring: Review API event logs for unusual data exports
• Focus on September-November 2025 timeframe
• Look for bulk data downloads or unusual query patterns

3. Rotate API Credentials:
• Rotate all API keys and OAuth tokens used by third-party apps
• Review Connected Apps and revoke unnecessary access
• Implement least-privilege access for all integrations

4. Notify Affected Stakeholders:
• If you used Gainsight apps, assume data was compromised
• Begin breach notification process per GDPR, CCPA, state laws
• Notify customers, employees, and business partners as appropriate
• Engage legal counsel and cyber insurance provider

5. Enhance Third-Party App Security:
• Implement app vetting process before installation
• Regular audits of installed app permissions
• Use Salesforce Shield for enhanced monitoring
• Consider allowlist approach (only pre-approved apps permitted)

Attack Overview:
• Threat Actor: Clop ransomware gang (previously behind MOVEit mass-exploitation campaign)
• Attack Vector: Zero-day vulnerabilities in Oracle E-Business Suite
• Victims: 100+ companies running Oracle EBS (partial disclosure ongoing)
• Data Stolen: Customer business data, employee records, financial information
• Discovery Date: November 7, 2025 (Washington Post disclosed breach)
• Vulnerability Status: Oracle released emergency patches November 12, 2025

Confirmed High-Profile Victims:

1. Harvard University
• Systems affected: Student information system, HR databases, research administration
• Data exposed: Student records, employee data, grant information, potentially research data
• Disclosure: November 15, 2025 notification to affected individuals
• Impact: Estimated 200,000+ current and former students, staff, researchers

2. The Washington Post
• Systems affected: Subscriber management, advertising systems
• Data exposed: Subscriber information, advertising client data, employee records
• Disclosure: November 7, 2025 (self-reported breach in their own newspaper)
• Impact: Unknown number of subscribers and advertising clients
• Irony factor: Major newspaper covering cybersecurity breaches becomes victim

3. American Airlines (Envoy Air Subsidiary)
• Systems affected: Regional airline operations, crew scheduling, passenger data
• Data exposed: Crew member personal information, passenger records, flight operations data
• Disclosure: November 18, 2025 notification
• Impact: Thousands of crew members, unknown number of passengers

How the Oracle E-Business Suite Attack Worked:

Oracle E-Business Suite (EBS) Background: Oracle EBS is an integrated suite of business applications used by thousands of large enterprises for:
• Financial management and accounting
• Human resources and payroll
• Supply chain management
• Customer relationship management
• Manufacturing and project management

Many universities, government agencies, airlines, and Fortune 500 companies rely on Oracle EBS as their core enterprise resource planning (ERP) system.

The Zero-Day Vulnerabilities:

While Oracle has not publicly disclosed full technical details (responsible disclosure timeline), security researchers have identified the attack pattern:

Vulnerability 1: SQL Injection in EBS Web Interface
• CVE: Pending (Oracle emergency patch released Nov 12)
• CVSS Score: Estimated 9.8 (Critical)
• Attack vector: Unauthenticated SQL injection in customer-facing web portals
• Impact: Complete database compromise, access to all ERP data

Vulnerability 2: Authentication Bypass
• CVE: Pending
• CVSS Score: Estimated 9.1 (Critical)
• Attack vector: Bypass of authentication in EBS application tier
• Impact: Administrator-level access without valid credentials

Clop's Exploitation Timeline:

September 2025: Clop gang discovers zero-days in Oracle EBS (estimated based on breach investigation timelines)

October 2025: Mass scanning of internet-facing Oracle EBS instances, identification of vulnerable targets

October-November 2025: Automated exploitation, data exfiltration from 100+ organizations

November 7, 2025: Washington Post discovers breach, Oracle notified

November 12, 2025: Oracle releases emergency patches (out-of-band, not part of quarterly Critical Patch Update)

November 15-21, 2025: Victim notifications begin, additional breaches confirmed daily

Why This Attack Succeeded:

1. Zero-Day Advantage
• No patches available when Clop began exploiting vulnerabilities
• Organizations had no way to defend except network segmentation
• Oracle EBS is complex software; zero-days are difficult to detect without patches

2. Legacy System Challenges
• Many Oracle EBS installations are 5-10 years old
• Upgrading EBS is expensive and disruptive (6-18 month projects)
• Organizations delay upgrades, missing security enhancements
• Outdated versions have accumulated vulnerabilities

3. Internet Exposure
• Many organizations exposed EBS web interfaces to internet for remote access
• Cloud migration put previously internal systems on public internet
• VPN alternatives created attack surface

4. MOVEit Playbook Reuse
• Clop successfully used mass-exploitation strategy with MOVEit in 2023
• Same tactic: Find zero-day in widely-deployed enterprise software, automate exploitation, exfiltrate data from hundreds of orgs simultaneously
• Proven ransomware business model: Most victims pay to prevent data leak

Oracle's Emergency Patch (November 12, 2025):

Oracle released out-of-band security patches addressing the zero-days:

Patch Details:
• Release Date: November 12, 2025
• Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.13
• Severity: Critical (immediate patching recommended)
• Patch Complexity: Moderate (requires application restart, database changes)
• Testing Required: Yes (EBS patches can break customizations)

Patching Challenges:
• EBS is mission-critical; downtime affects entire organization
• Patches require testing in non-production environment first
• Many organizations need 2-4 weeks to test and deploy EBS patches
• During that window, they remain vulnerable

Immediate Actions for Oracle EBS Customers:

1. Apply Oracle Emergency Patches IMMEDIATELY
• Download patches from My Oracle Support (MOS)
• Test in dev/staging environment (expedited testing, 24-48 hours max)
• Deploy to production within 1 week of patch release
• If testing not feasible, consider emergency weekend patching

2. Network Segmentation (If Patching Delayed)
• Remove EBS web interfaces from public internet
• Require VPN access for all remote EBS users
• Implement web application firewall (WAF) with virtual patching rules
• Monitor for exploitation attempts (SQL injection patterns in logs)

3. Forensic Investigation
• Review EBS application logs for September-November 2025
• Check for suspicious database queries, bulk data exports
• Engage Oracle Security team or third-party forensics firm
• Preserve logs for potential breach notification requirements

4. Assume Compromise Until Proven Otherwise
• If your EBS was internet-accessible in October-November 2025, assume breach
• Begin breach assessment: What data is in EBS? Who is affected?
• Notify legal counsel, cyber insurance, regulatory authorities as appropriate
• Prepare for potential ransom demand from Clop gang

5. Long-Term EBS Security Improvements
• Upgrade to latest EBS version (12.2.13 as of November 2025)
• Implement Oracle Advanced Security for database encryption
• Deploy Oracle Audit Vault for centralized log monitoring
• Regular penetration testing of EBS environment
• Quarterly patch management (Oracle Critical Patch Updates)

Ransom Demands and Data Leaks:

Clop's typical ransom strategy:
• Steal data, then contact victim with ransom demand
• Threaten to publish stolen data on leak site if ransom not paid
• Ransom amounts: $500K - $10M+ depending on victim size and data sensitivity
• Data published on Clop leak site if no payment within 7-14 days

As of November 21, 2025:
• Clop has NOT yet published data from Harvard, Washington Post, or American Airlines
• Negotiations likely ongoing
• Expect leaks in early December 2025 if ransoms not paid

1. Abbott Laboratories & Dooney & Bourke - Clop Attacks

Breach Details:
• Victims: Abbott (medical devices/pharmaceuticals), Dooney & Bourke (luxury handbags)
• Threat Actor: Clop ransomware gang (same group behind Oracle EBS attacks)
• Discovery Date: November 21, 2025
• Attack Vector: Likely Oracle EBS or similar enterprise software vulnerability
• Data Exposed: Not yet disclosed

Abbott Implications:
• Major medical device manufacturer (glucose monitors, heart devices, diagnostics)
• Potential exposure of patient data, clinical trial information, manufacturing data
• HIPAA breach notification likely required
• FDA medical device cybersecurity reporting obligations

Dooney & Bourke Implications:
• Luxury retailer with high-net-worth customer base
• Potential credit card data, customer profiles, purchase history
• PCI-DSS compliance implications

2. Conduent Business Services - 4.3 Million Individuals Affected

Breach Details:
• Victim: Conduent (business process outsourcing company)
• Discovery Date: October 2025 (public disclosure)
• Breach Timeline: Late 2024 - Early 2025 (long dwell time)
• Affected Individuals: 4.3 million people
• Data Exposed: Personal information of government benefits recipients

Why This Matters:
• Conduent processes government benefits (Medicaid, unemployment, child support)
• Victims include vulnerable populations relying on government assistance
• Long dwell time suggests sophisticated attack, potential for extensive data theft
• Government contract implications (may lose contracts due to breach)

3. Ongoing Breach Disclosure Pattern

November 2025 Statistics:
• 11 breaches publicly disclosed per day (average)
• 330+ breaches disclosed in November (as of Nov 21)
• Projected total for month: 400+ breach notifications

Breach Volume Trend:
• 2023: 3,200 breaches (previous record)
• 2024: 3,800 breaches
• 2025 YTD: 4,100+ breaches (11 months)
• 2025 Projected: 4,500+ breaches (will exceed 2024 by 18%)

Why Breach Volume Keeps Increasing:

1. Supply Chain Attacks
• One vendor breach = hundreds of customer breaches (e.g., Salesforce/Gainsight)
• Attackers target widely-used software (MOVEit 2023, Oracle EBS 2025)
• Multiplier effect: Single vulnerability affects entire ecosystem

2. Ransomware Industrialization
• Ransomware-as-a-Service (RaaS) lowers barrier to entry
• Affiliates conduct attacks, RaaS operators provide tools/infrastructure
• More attackers = more breaches

3. Data Breach Disclosure Laws
• All 50 US states now have breach notification laws
• GDPR requires 72-hour breach notification
• More legal requirements = more public disclosures (breaches always existed, now they're reported)

4. Cloud Migration Attack Surface
• Organizations moving to cloud expose systems to internet
• Misconfigured cloud storage (S3 buckets, Azure Blob storage)
• Cloud apps have different security models than on-premises systems

5. Nation-State Activity
• Russia, China, North Korea, Iran conducting cyber espionage
• Many nation-state breaches disclosed years after compromise
• Geopolitical tensions drive cyber aggression

Lesson 1: Third-Party App Risk Management

The Salesforce/Gainsight breach teaches us:

Before Installing Third-Party Apps:
• Security audit: Review app's security documentation, certifications
• Permissions review: What data does app request access to? Is it necessary?
• Vendor assessment: Does vendor have SOC 2, ISO 27001, other security certifications?
• Breach history: Has vendor been breached before? How did they respond?
• Least privilege: Configure app with minimum necessary permissions

After Installing Third-Party Apps:
• Regular audits: Quarterly review of installed apps and permissions
• Access monitoring: Log and review all third-party app data access
• Anomaly detection: Alert on unusual data exports or API usage
• Vendor monitoring: Subscribe to vendor security advisories
• Incident response plan: What happens if third-party app is breached?

Red Flags to Watch For:
• App requests access to data unrelated to its function
• Vendor lacks security certifications or documentation
• App has poor reviews mentioning security issues
• Vendor doesn't publish security advisories or patch notes
• App hasn't been updated in 6+ months

Lesson 2: Zero-Day Defense Strategy

The Oracle EBS breach teaches us:

You can't patch zero-days (by definition, no patch exists yet). But you can reduce impact:

1. Network Segmentation
• Don't expose enterprise apps directly to internet
• Require VPN or zero-trust network access (ZTNA) for remote users
• Segment critical systems on separate network zones
• Implement firewall rules limiting lateral movement

2. Web Application Firewall (WAF)
• Deploy WAF in front of all web applications
• Virtual patching: WAF can block exploitation attempts even without vendor patch
• Ruleset updates: Ensure WAF rules updated weekly
• Logging: Capture all blocked attacks for incident response

3. Intrusion Detection Systems (IDS)
• Network-based IDS monitors for exploitation attempts
• Signature-based detection catches known attacks
• Anomaly-based detection catches novel zero-day exploits
• SIEM integration for centralized alerting

4. Least Privilege Access
• Limit who can access enterprise applications
• Implement role-based access control (RBAC)
• Require multi-factor authentication (MFA) for all users
• Regular access reviews: Remove unnecessary access

5. Data Loss Prevention (DLP)
• Monitor for bulk data exports
• Block unauthorized data exfiltration attempts
• Alert on unusual data access patterns
• Encrypt sensitive data at rest and in transit

Lesson 3: Patch Management Excellence

Oracle released emergency patches November 12. Your timeline should be:

Day 1 (Nov 12): Patch release
• Subscribe to vendor security advisories for immediate notification
• Assess patch criticality and affected systems
• Download patches, review release notes

Day 2-3 (Nov 13-14): Testing
• Deploy patches to dev/test environment
• Run regression tests on critical business processes
• Document any issues or compatibility problems

Day 4-7 (Nov 15-18): Production deployment
• Schedule maintenance window
• Deploy to production during low-usage period
• Monitor for issues, have rollback plan ready
• Verify patch applied successfully

Goal: 1-week patch deployment for critical vulnerabilities

Many organizations take 30-90 days to patch. During that window, you're vulnerable.

Lesson 4: Assume Breach Mentality

If Harvard, Washington Post, and 1,000 Salesforce customers can be breached, so can you.

Operate under assumption that breach is inevitable:

1. Detection Capabilities
• Monitor for indicators of compromise (IOCs)
• Log all system access and data transfers
• Deploy endpoint detection and response (EDR) tools
• Regular threat hunting exercises

2. Incident Response Readiness
• Documented incident response plan
• Quarterly tabletop exercises
• Pre-negotiated forensics firm retainer
• Cyber insurance policy reviewed annually

3. Data Minimization
• Don't collect data you don't need
• Delete data you no longer need
• Encrypt sensitive data always
• Separate systems: Don't store all data in one ERP

4. Backup and Recovery
• Immutable backups (ransomware can't encrypt them)
• Offline backups stored separately
• Regular restore testing (quarterly minimum)
• Recovery time objective (RTO): Can you recover in 24-48 hours?

Lesson 5: Vendor Consolidation Risk

Salesforce/Gainsight breach highlights concentration risk:

Many organizations use:
• Salesforce for CRM
• 50+ Salesforce AppExchange apps
• All integrated, all accessing same data

If ONE app is compromised, ALL data is at risk.

Mitigation strategies:
• Limit number of third-party integrations
• Segment data across multiple systems (don't put everything in Salesforce)
• Consider build vs. buy: Custom development may be more secure than third-party apps
• Multi-vendor strategy: Don't rely on single platform for everything

Lesson 6: Supply Chain Security is National Priority

November 2025 breaches follow pattern:
• SolarWinds (2020): Software supply chain
• Kaseya (2021): MSP supply chain
• MOVEit (2023): File transfer supply chain
• Salesforce/Gainsight (2025): App marketplace supply chain
• Oracle EBS (2025): Enterprise software supply chain

U.S. Government Response:
• CISA issued emergency directive for Oracle EBS patching (Nov 13, 2025)
• OMB memo on third-party app security requirements (pending)
• Potential legislation: Software liability for vendors

What This Means for Organizations:
• Expect stricter vendor security requirements
• Cyber insurance will require supply chain assessments
• Regulators will hold organizations accountable for third-party breaches
• GDPR, CCPA already impose liability for vendor breaches

Your supply chain is YOUR responsibility, even if vendor is at fault.

Healthcare & Life Sciences

Affected Organizations:
• Abbott Laboratories (medical devices)
• Harvard University (medical research)
• Allianz Life (health insurance)

Compliance Implications:
• HIPAA Breach Notification Rule: 60-day notification to HHS for breaches affecting 500+ individuals
• FDA Medical Device Cybersecurity: Abbott must report breach to FDA, may face device recall
• Research Data Integrity: Harvard breach may compromise clinical trial data

Patient Impact:
• Medical device data breaches can enable targeted attacks on patients
• Insurance data breaches expose sensitive health conditions
• Research data breaches compromise participant privacy

Action Items:
• Audit all Oracle EBS instances (common in hospital finance systems)
• Review third-party health app integrations
• Enhance patient data encryption
• Update HIPAA risk assessments

Financial Services & Insurance

Affected Organizations:
• TransUnion (credit bureau)
• Allianz Life (insurance)
• Numerous banks using Oracle EBS for core banking

Regulatory Implications:
• GLBA Safeguards Rule: Enhanced incident response requirements effective December 2024
• FFIEC Guidance: Third-party risk management expectations
• NYDFS Cybersecurity Regulation: 72-hour breach notification to NYDFS
• SEC Cybersecurity Rules: 4-day materiality determination, 8-K filing if material

Customer Impact:
• Credit bureau breach enables identity theft, synthetic identity fraud
• Insurance data breach exposes financial information, enables social engineering
• Bank breach compromises account credentials, transaction history

Action Items:
• Assess Oracle EBS exposure (widely used for financial management)
• Review Salesforce Financial Services Cloud third-party apps
• Enhance fraud monitoring systems
• Update incident response plans for SEC 4-day disclosure

Higher Education

Affected Organizations:
• Harvard University (student records, research data, employee information)
• Likely dozens more universities using Oracle EBS (common for student information systems)

Compliance Implications:
• FERPA: Student education records protected, breach may violate federal law
• Research Data: NIH, NSF grant compliance requires data security
• State Laws: Massachusetts data protection law (201 CMR 17.00) has strict requirements

Student & Faculty Impact:
• Student records include SSN, financial aid, grades, disciplinary records
• Faculty data includes research proposals, grant information, personnel files
• Alumni data breach affects fundraising, donor relations

Action Items:
• Patch Oracle EBS student information systems URGENTLY
• Review Salesforce Education Cloud app permissions
• Notify students, faculty of breach risk
• Enhance endpoint security for research systems

Retail & E-Commerce

Affected Organizations:
• Dooney & Bourke (luxury retail)
• Dior, Kering (luxury fashion)
• Qantas (airline retail, loyalty programs)

Compliance Implications:
• PCI-DSS: Payment card data breaches trigger forensic investigation, potential fines
• GDPR: Luxury brands have international customers, 72-hour notification required
• CCPA: California customers have private right of action for data breaches

Customer Impact:
• Credit card data theft enables fraud
• Customer profile data enables targeted phishing
• Loyalty program data enables account takeover

Action Items:
• Verify PCI-DSS segmentation (cardholder data isolated from breached systems)
• Review e-commerce platform third-party apps
• Enhance fraud detection systems
• Prepare for potential class-action lawsuits

Technology & Cybersecurity (Ironic Victims)

Affected Organizations:
• Cloudflare (DDoS protection, CDN)
• Proofpoint (email security)
• Bugcrowd (bug bounty platform)
• Google (cloud services)

Reputational Implications:
• Cybersecurity vendors being breached damages credibility
• Customers may lose confidence in security products
• Competitive advantage lost

Customer Impact:
• If security vendor is breached, are customer environments also at risk?
• Shared infrastructure concerns
• Trust erosion

Action Items:
• Transparent breach disclosure (security companies held to higher standard)
• Third-party security audit results published
• Enhanced vendor security questionnaires from customers
• Consider cyber insurance implications (premiums may increase)