2025 was the year Salesforce breaches went from a niche security concern to front-page news.
In 2026, we’re still seeing the aftershocks. McGraw Hill. The European Commission. Grubhub. The list keeps growing, and the ransom demands keep landing. It is never a good situation to be in. But can we honestly say we didn’t see this coming?
A gap the industry created together
For years, Salesforce sat in a strange middle ground inside most organizations. Too important to ignore, but somehow never quite in the security team’s lane. The CISO owned the firewall and The IT team owned the endpoints, while Salesforce grew into one of the most data-rich systems in the company, expanding through automations, Experience Cloud sites, third-party integrations, and connected apps – each one broadening the footprint a little further.
The platform got more complex. The security visibility around it did not always keep up. That is the gap that 2025 exposed in a spectacular way.
ShinyHunters made it impossible to look away
Starting in mid-2025, the ShinyHunters group ran the most sustained, targeted campaign against Salesforce environments the industry had ever seen. What made it so damaging was how it exploited the complexity of modern Salesforce deployments, rather than any single flaw.
The early attacks used vishing. A phone call. Someone pretending to be IT support. An employee convinced to enter an OAuth code into what looked like a legitimate Salesforce Data Loader page. By September 2025, the group had shifted again, this time scanning for Experience Cloud sites with misconfigured guest user permissions and pulling CRM data directly through exposed API endpoints. No credentials required. By March 2026, they were claiming between 300 and 400 compromised organizations from that campaign alone. The tactics kept evolving. The target never changed.
McGraw Hill is the latest reminder
Earlier this month, McGraw Hill confirmed that ShinyHunters had accessed a Salesforce-hosted environment through a misconfiguration, leaking over 100GB of data tied to 13.5 million accounts. Names, addresses, phone numbers, email addresses – all out in the open after ransom negotiations fell through.
The company noted that its core systems were not touched. But for the 13.5 million people now potentially exposed to phishing and identity fraud, that distinction offered little reassurance. This is not a story about one misconfiguration at one company. It is the same story the industry has been telling itself for over a year now, with a different name at the top each time.
That context matters. This is a systemic challenge, not a story about one org getting something wrong.
The real problem is detection
What these incidents share is a common theme: the gap between when access was gained and when it was discovered. The detection gap is where the real damage happens, and closing it is the conversation the Security and Salesforce teams need to be having right now.
Security teams have spent years building detection-first programs around endpoints and email, operating on the principle that prevention matters. But this is never the whole story. Threats get through.
What determines the outcome is how quickly you see them. That same principle applies to Salesforce, arguably more so given how much sensitive data now lives there. Customer records, financial data, healthcare information, pipeline data, PII at scale, all wired into marketing platforms, analytics tools, AI systems, and third-party apps. The data footprint of a typical enterprise Salesforce org is enormous, and it is connected to everything.
Seeing the full picture
Here is where Salesforce security gets genuinely difficult. Individual signals, taken in isolation, can look harmless. A user with broad permissions is not unusual. A connected app accessing data is expected. A credential that appeared in a third-party breach might belong to someone who changed their password years ago.
But when you start combining those signals, the picture shifts. A user with ModifyAllData permissions whose email address appeared in a recent breach is a very different conversation. That is not a theoretical risk. That is an open door, and the kind of exposure that’s almost impossible to see without a dedicated view across identity, permissions, and breach data simultaneously.
Help is at hand
That is the gap our latest release of Cloud Protection for Salesforce addresses. Identity Protection now brings those signals together in one place, giving administrators a clear view of which users warrant attention and why, so the exposure is visible before an attacker has the chance to map it out first.
The organizations that will come out of this period in good shape are not necessarily the ones with the biggest security budgets. They are the ones that applied the same detection-first thinking to their Salesforce environment that they built everywhere else years ago.
The question worth asking today is a simple one: if an attacker was quietly moving through your Salesforce org right now, would you know? If you are not sure, our free Salesforce risk assessment is a good place to start.