Salesforce attacks are increasing, as the platform has become a prime target for cybercriminals. Around 40 Salesforce customers – mostly global brands – have been breached by cyber criminal groups. Salesforce is an attractive target due to its high level of connectivity and the volume of sensitive personal and commercial information it contains.
As companies’ Salesforce environments have become direct targets for cyberattacks, even the largest, best-resourced companies aren’t ready.
“The targeting of organizations’ SaaS services that hold and process sensitive data has become an extremely popular TTP of ransomware actors, after all. It has become apparent that actors no longer need to spend a lot of time and money seeking to fully compromise a network, when extortion demands based on sensitive data theft can be just as successful. It enables an effective and scalable way of targeting organisations at scale,” explains Tim West, Director of Threat Intelligence at WithSecure. “The business value of Salesforce and the level of sensitive data held within Salesforce makes it an exceptionally attractive target for financially motivated threat actors.”
Salesforce attacks have resulted in data breaches
On September 12th 2025, after a series of successful cyber attacks targeting Salesforce customers, the FBI has issued a FLASH alert. The alert shares indicators of compromise tied to groups recently observed targeting Salesforce instances in a growing wave of data-theft and extortion campaigns. A FLASH is the Bureau’s way of quickly pushing urgent threat intelligence and indicators of compromise to industry, helping security teams spot suspicious activity and strengthen defenses.
In October, the situation escalated further. A collective calling itself Scattered Lapsus$ Hunters began leaking stolen Salesforce customer data and publicly extorting dozens of global brands. Salesforce themselves has been extorted by the group. As the victims refused to negotiate and pay the ransoms, the extortion group has started to leak the data.
The biggest challenge: threat actors adapt fast. They aren’t focusing on technical exploits. They’re exploiting access, trust, and human behavior. Salesforce is a perfect environment for this. For example, Salesforce doesn’t have a built-in antivirus. It doesn’t scan incoming data for cyber threats. Securing the data and users of the platform is the customer’s responsibility. Attackers are aware of this gap.
Customer information has high value on the dark web and can be used in further targeted attacks and identity theft.
Confirmed Salesforce breaches and attributed incidents in 2025:
- Google: breach disclosed in August but traced to activity in June. Targeted Salesforce CRM instance used for prospective Google Ads customer data. Impacted records included basic business contact details and related sales notes for SMB customers.
- Salesloft-Drift hack: Attackers stole OAuth tokens through the Drift integration, leading Salesforce to shut down all Salesloft connections. The stolen tokens were then used to pull data directly from Salesforce accounts. Confirmed victims include security companies like Zscaler, Palo Alto Networks, Proofpoint, Tenable, Qualys and Cloudflare.
- Workday: July disclosure of a third-party CRM breach exposing business contact data (names, emails, phone numbers). While Salesforce was not named, the case reflects how attackers target high-value SaaS and identity data to enable further exploits.
- Allianz Life: Similarly, a July breach via a third-party cloud CRM impacted 1.4 million customers. Tied to social engineering tactics seen in the Salesforce campaign.
- LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas: late July disclosures tied to the same Salesforce-focused campaign.
- GAP: alleged victim listed by the extortion group behind the campaigns targeting Salesforce instances.
- Chanel: activity detected July 25, disclosed Aug 4; personal contact data exposed; tied to the same wave of Salesforce data-theft extortion.
- Farmers Insurance: May breach via a third-party database exposed data of 1.1 million customers (names, addresses, driver’s license details, partial SSNs). Linked to the broader vishing campaign.
- Coca-Cola (Middle East): disclosed May; data leak affecting ~1,000 employees in UAE, Oman, and Bahrain. Salesforce file access was reported to be part of the chain.
- Coca-Cola Europacific Partners (CCEP): breach exposed over 23M Salesforce records (accounts, cases, contacts, products) via dashboards.
- UK retailers (M&S, Co-op, Harrods): May ransomware/data theft incidents; similar social-engineering and access-abuse tactics were observed.
- IKEA: allegedly breached by the hackers; no official disclosure
- Stellantis: disclosed a data breach in September, which came via third-party provider; contact data warned to be at risk; aligns with Salesforce-targeting wave but not confirmed.
- Aviation sector (Hawaiian Airlines, WestJet, KLM, Air France, Vietnam Airlines, Qantas): targeted June–July. While not confirmed as Salesforce compromises, the entry methods (help-desk manipulation, MFA bypass) mirror those used in CRM breaches.
Attribution note:
Attribution is difficult and varies by case. The ShinyHunters-branded group carried out most confirmed Salesforce-focused campaigns in 2025, while Scattered Spider and other ransomware groups showed overlapping tactics.
In recent months, multiple sources have described Scattered Lapsus$ Hunters as a loose collaboration of ShinyHunters, Scattered Spider, and Lapsus$. It shows how fluid these groups are in shifting names, tactics, and alliances as defenders catch up. This keeps attribution confusing even for industry experts.
UNC6040 / ShinyHunters: targeting Salesforce users with social engineering and OAuth abuse
In 2025, Google’s Threat Intelligence Group (GTIG) reported on a campaign by UNC6040 – a financially motivated threat actor blending social engineering with OAuth abuse to target Salesforce environments.
GTIG tracks the follow-on extortion phase as a separate cluster, UNC6240, more widely recognized under the ShinyHunters brand.
The group’s playbook begins with credential harvesting. Reused or phished single sign-on (SSO) credentials gave them initial access. Once authenticated, they moved laterally using the victim’s privileges (unnoticed) before escalating access through malicious Connected Apps. By generating long-lived OAuth tokens, they could bypass multi-factor authentication (MFA) entirely and avoid triggering standard security alerts.
The playbook in high-profile breaches
For example, The Google breach became the highest-profile example of this method. In June 2025, attackers compromised a corporate Salesforce instance used to manage prospective Google Ads customer information. Attackers exposed approximately 2.55 million records, including business names, phone numbers, and sales follow-up notes. This is data with high value for phishing and fraud campaigns. Google stated that the data was largely public-facing and unrelated to Ads product systems, but the incident showed how attackers can weaponize even ‘non-sensitive’ CRM data once they exfiltrate it. GTIG confirmed the breach was part of the UNC6040/ShinyHunters activity, with custom tools used to accelerate Salesforce data extraction.
UNC6040’s access method didn’t rely on technical exploits. Instead, attackers impersonated IT support and used voice phishing (vishing) to walk employees through Salesforce’s Connected App setup page. They would instruct the target to enter an 8-digit connection code, which authorizes a rebranded version of Salesforce Data Loader (often called “My Ticket Portal”). This malicious app then granted persistent, privileged access without MFA. From there, data exports could occur quietly over time, and in some cases attackers pivoted into connected platforms like Microsoft 365 or Okta.
Confirmed victims include Google, Allianz Life (impacting the majority of its 1.4 million customers), LVMH brands Louis Vuitton, Dior, and Tiffany & Co., Adidas, Qantas, and Chanel’s U.S. client-care database. In each case, attackers used variations of the same method to gain long-lived access and extract CRM records.
UNC3944 / Scattered Spider: identity and workflow exploitation across industries
UNC3944, also known as Scattered Spider, is a long-running threat group that focuses on identity-driven intrusions across cloud and enterprise environments.
Like UNC6040, their defining move is manipulating IT support and identity provider (IdP) workflows to escalate access. Once inside, they authorise third-party data integration tools to extract cloud data without detection.
Specifically, observed techniques include:
- Persuading help desks to escalate permissions under false pretences
- Exploiting IdP integrations to maintain persistence across multiple systems
- Deploying virtual machines for staging and long-term access
Tim West, Head of Threat Intelligence at WithSecure, notes: “Scattered Spider deploy social engineering to gain access to SaaS environments. Their attacks may look technically simple, but that doesn’t make them any less dangerous. They’ve been linked to the MGM and M&S breaches.”
Google: Salesforce CRM breach targeting prospective Ads customers
In June 2025, Google confirmed that ShinyHunters breached one of its Salesforce CRM instances used to manage prospective Google Ads customer data. The company said that the incident was part of the same campaign its Threat Intelligence Group had tracked, which had already targeted other organizations through voice-phishing (vishing) and OAuth abuse.
As a result, attackers accessed records containing business names, contact information, and sales follow-up notes. Google stressed that the data was largely public and did not affect Ads-related systems such as Google Ads, Merchant Center, or Analytics, but the case showed how attackers can weaponize even ‘non-sensitive’ CRM data when they take it in bulk.
The incident underscores a broader trend: attackers can weaponize CRM-level business workflow information for phishing, fraud, and follow-on compromise at scale, even when the stolen data appears “non-sensitive”.
From help desk to breach: The same tactics behind the UK’s retail cyberattacks
Just months before Google’s disclosure, major UK retailers including M&S, Co-op, were forced offline by a wave of ransomware and data theft attacks attributed to Scattered Spider (UNC3944). The breaches began with help desk impersonation and social engineering, enabling lateral movement and large-scale data exfiltration from inside trusted systems – all without exploiting technical vulnerabilities.
Airline sector attacks: Scattered Spider shifts focus
In June and July 2025, multiple aviation companies – including Air France, KLM, Hawaiian Airlines, Qantas and WestJet – were targeted in a coordinated wave of cyberattacks attributed to Scattered Spider (UNC3944) and ShinyHunters (UNC6040). Vietnam Airlines is one of the later victims.
The attacks urged the FBI to warn publicly that the aviation industry is an active target.
The attack methods remain consistent: impersonating IT support staff, manipulating help desks (both internal and outsourced), and bypassing MFA to gain trusted access. Contact centers are a known soft spot, often targeted first due to their broad access and lower security controls.
What’s more, in some cases attackers reportedly used deepfake audio to impersonate employees and persuade help desk staff to authorize rogue access. Once inside, they quietly extracted sensitive data for extortion and, in some cases, deployed ransomware.
“Organizations need to be conscious that when outsourcing administrative functions – such as help-desk or management of Salesforce services – they are also extending their threat surface, and outsourcing security culture. There is no ‘silver-bullet’ technology that mitigates human risk,” West highlights.
When attackers exploit trust in one system, they often gain access to others just a few steps away.
When insurance firms get targeted: CRM data at risk
Attackers know insurance CRMs hold a goldmine of personal data. That makes them the perfect targets for fraud, false claims, and even building synthetic identities.
Allianz Life saw over a million customer records siphoned via a rogue Salesforce Data Loader app. Farmers Insurance was hit in a similar way, with more than 1.1 million customers impacted through a third-party database breach. In both cases, social engineering and trusted integrations opened the door.
The takeaway is clear. CRM-level data – which insurers manage in huge volumes – is more than enough to draw attackers in.
Workday breach: Payroll, HR and CRM data compromised
In July 2025, Workday disclosed that threat actors accessed a third-party CRM platform through a social engineering campaign. The company stressed that there was no impact on its payroll or HR customer tenants, and the information obtained was mostly business contact details such as names, email addresses, and phone numbers.
Even if the data taken wasn’t highly sensitive, the way it was stolen follows a familiar playbook. Attackers lean on trust, trick people into giving up access, and then use even basic CRM details to fuel bigger scams. Think from phishing to fraud to setting up the next breach.
Salesloft-Drift hack: OAuth tokens abused to siphon Salesforce data
In August 2025, Google’s threat intelligence team uncovered a major breach tied to Salesloft and its Drift app – an AI chatbot tool used in sales processes. As the true scale became clearer, Salesforce shut down all Salesloft integrations. Attackers linked to UNC6395 had stolen OAuth tokens from Salesloft Drift and used them to quietly siphon data from connected Salesforce orgs.
Google and Mandiant say the tokens were compromised across Salesforce and related systems, forcing urgent revokes and resets. There’s no evidence of a flaw in Salesforce itself. Still, the ecosystem took a hit.
Notably, several cybersecurity vendors appeared on the confirmed list of victims.
Zscaler, a cyber security company, is one of the affected customers. Zscaler confirmed that its Salesforce instance was accessed through stolen Salesloft Drift tokens. The company stressed that its core products and infrastructure were untouched, but attackers still obtained customer information.
Disclosures of breaches from security companies such as Palo Alto Networks, Cloudflare, Proofpoint, Qualys and Tenable soon followed.
Misinformation has clouded the Salesloft Drift hack, but one thing is clear: attackers gaining access to customer data from leading security providers creates far-reaching implications for trust and supply chains.
Coca-Cola: Middle East employee data leak
In May 2025, the Everest ransomware group attacked Coca-Cola’s operations in the Middle East. The group accessed and leaked over 1,100 HR files, including:
- Personal identification documents
- Salary and banking details
- Internal org charts and account structures
The breach affected nearly 1,000 employees across the UAE, Oman, and Bahrain. Reports indicate that Salesforce file access was part of the attack chain.
Coca-Cola Europacific Partners: 23 million records exposed via Salesforce
In a separate incident, the Gehenna group breached Coca-Cola Europacific Partners (CCEP) Salesforce dashboards and exfiltrated over 23 million records. This included:
- 7.5 million account records
- 9.5 million customer service cases
- 6 million contact entries
- 400,000 product records
Soon after, the sample data was published on public breach forums. The attackers also contacted employees, signaling intent to sell or release more data unless paid.
Why this matters, and what comes next
Salesforce is central to how many organizations operate. It holds loads of sensitive customer records, sales data, intellectual property, and internal support content. Files and links flow through it every day. It’s deeply integrated with other cloud services.
Consequently, this level of access and automation makes it highly attractive to attackers. And yet, Salesforce environments often operate without the same level of monitoring or control applied to other enterprise systems.
When observing Salesforce attacks, we’ve seen phishing links embedded in business documents. Data exfiltrated directly from support systems. Malicious files distributed via workflow automation. Each case shows how attackers seek to exploit Salesforce’s built-in functionalities.
A human error triggered these recent Salesforce breaches. Someone answered a call and made a click. You can’t stop every slip, but you can stop the fallout: malware detonating inside Salesforce or phishing links being passed around.
This isn’t hypothetical. Threat actors are already targeting Salesforce directly – using impersonation, stolen credentials, and OAuth abuse to establish long-term access. The UK retail breaches show just how public and damaging these tactics have become.
If that’s already happening, the next question is clear: what happens when even more threat actors start treating Salesforce as the new and effective entry point?
Today it’s vishing and OAuth tokens. Tomorrow, when those doors close, where will the attackers pivot?
An evolving risk surface
Threat actors are shifting focus to systems where trust is built in. They don’t need to break through technical barriers when users are already opening the door, whether by approving a connected app, using single sign-on without MFA enforcement, or responding to a convincing IT support call.
The Salesforce threat surface is expanding:
- Users are uploading and sharing more files
- Portals and agents interact with customers at scale
- Connected apps have broad privileges, often without visibility
- Credentials are being reused or phished, giving attackers direct entry into CRM environments
In many cases, attackers who compromise a credential can quietly authenticate, pivot across cloud services, and extract data without triggering alarms. They often maintain access long after the initial breach.
Without inspection and control, these access pathways become vulnerabilities. And the cost of exposure – operational, legal, reputational, strategic – can be difficult to contain.
Attackers have leaned hard on psychological pressure . They’re naming victims in public, spinning up leak sites overnight, and exaggerating how sensitive the stolen data is. It’s all about forcing payment and making the next target think twice.
Salesforce has issued a warning for customers, where they emphasise that these incidents are not due to a platform vulnerability, but to targeted phishing and social engineering against customers. They recommend measures such as enforcing MFA, applying least privilege, restricting login IP ranges, managing Connected Apps carefully, using Salesforce Shield for event monitoring, and designating a Security Contact for incident communication.
Identity-based attacks are the common thread
Worth highlighting is that many of these Salesforce attacks don’t rely on technical exploits, but succeed through access. And that access often begins with compromised credentials.
The compromise might come from a phishing link. Or from login details exposed in a third-party breach. Credentials dumped on the dark web are frequently recycled across systems, giving attackers an easy way in. As attackers increasingly exploit legitimate access methods and IT support workflows, even one reused password or stolen credential can open the door to Salesforce… and everything it connects to.
Indeed, as Google’s case shows, even a narrowly scoped Salesforce instance with limited business data can still be targeted and exploited when attackers have a working playbook and automation to exfiltrate it at scale.
Extortion escalates: Scattered Lapsus$ Hunters launch public leak site
In early October, a group calling itself Scattered Lapsus$ Hunters began leaking data stolen from Salesforce customer environments. The collective – claiming links to ShinyHunters and Scattered Spider – published samples from 39 global brands and even issued a ransom demand directed at Salesforce itself. The collective claimed to hold roughly one billion records and threatened to leak them publicly if payment wasn’t made. As of now, the claims have not been independently confirmed, but the group has started to leak data of several victims, including airlines.
Salesforce stated there’s no evidence of a platform compromise, noting that these extortion attempts relate to past or unsubstantiated incidents. Salesforce continues to work with law enforcement and affected customers, encouraging all organizations to stay vigilant against phishing and social engineering.
What started as social engineering and OAuth abuse has now turned into open extortion. The wave of breaches has also led to at least 14 lawsuits filed against Salesforce, highlighting growing tension around shared responsibility in SaaS security.
What you can do in light of Salesforce attacks
To that end, you can’t prevent every phishing email. You can’t control which credentials show up on the dark web. And no help desk workflow is completely immune to social engineering.
But you can still take control over what happens next. And as these recent Salesforce attacks underline, proactive security strategies are key.
These practical recommendations help reduce risk across identity, access, and content:
Audit and visibility
Audit connected apps and user activity in Salesforce. Regularly review and revoke unused or high-privilege accesses. Monitor for suspicious login behavior, including unexpected bulk data exports, spikes in Data Loader/API calls, or new Connected App authorizations.
Identity and access controls
Enforce phishing-resistant MFA across all user roles and integrations. Apply least privilege principles and limit admin access. Harden IT support processes against impersonation tactics by requiring no-exceptions callbacks to a known internal number before honoring privileged requests. Include Salesforce in access governance reviews.
Credential compromise monitoring
Ensure you can detect credential compromise, rapidly revoke access, and restore clean Salesforce configurations and data when needed.
Real-time content protection
Use natively integrated threat protection to inspect files and links directly in Salesforce. Minimize human error by preventing phishing links and malware from spreading through cases, chats, and portals – not just email.
Phishing and user awareness
Educate users about social engineering methods, voice phishing (vishing), and fake app installs targeting Salesforce. Train staff to recognize and report malicious Connected App requests, especially those involving “connection codes” or unexpected Data Loader authorizations.
Third-party systems and integration risk
Review and vet all connected apps and external platforms, especially support tools, help desks, and ticketing systems. Limit “connection code” installs to admins and restrict high-risk logins to trusted IP ranges.
Incident response preparation
Include Salesforce in incident response and recovery plans. Prepare customer-notification and legal/PR workflows specifically for CRM data exposure cases, and pre-plan your response to potential private extortion emails.
API and token hardening
Limit the “API Enabled” permission to the smallest set of roles. Use High-Assurance Sessions for API/OAuth flows, and shorten session lifetimes.
Locks mean nothing if the door stays open
Think of Salesforce like the front door to your business. You can have the strongest locks in the world, but if you leave the door wide open, attackers don’t need to pick anything. They just walk straight in.
That’s what happens when malware or phishing links flow unchecked through Salesforce. You’ve locked the perimeter, trained your staff, tightened identity controls. Yet the most obvious door is still wide open.
Real-time protection against cyber attacks targeting Salesforce
Most security tools don’t see what’s happening inside Salesforce. That’s why we built a native layer of protection: to give you the visibility and control that would otherwise be missing in Salesforce.
It blocks malicious files and phishing links before they land in front of users.
It inspects content shared via email, portals, cases, and automation in real time.
And soon, it will monitor compromised credentials being used to get into Salesforce.
Attackers change tactics fast. Your defenses should keep up just as quickly. WithSecure Cloud Protection for Salesforce sets up in a few clicks and gives you the baseline hygiene Salesforce can’t be without. It stops breaches before they have a chance to spread and cause damage.
Prevention is always cheaper than recovery.
🎥 Why Salesforce is now a prime target for cyber attacks | expert interview:
I sat down with WithSecure’s Head of Threat Intelligence, Tim West, to unpack what’s really happening behind the scenes of recent Salesforce attacks, and how security teams can stay ahead of the curve.
Hit play to watch the full discussion.
Breaches don’t stay in one lane
Data flows between Salesforce and other cloud systems. Protecting Salesforce isn’t just about Salesforce.
OAuth abuse today, zero-day malware or something else tomorrow.
Like a wise man said, if you have several holes on your ship, you don’t just plug one – you need to fix them all. This applies to your Salesforce security, too.
