“Trust” is a core value that Salesforce used to build its brand. Now that promise is being put to the test as hundreds of data-theft campaigns have compromised sensitive customer records, prompted FBI warnings, and even led to a mounting list of lawsuits from enterprise clients considering class-action consolidation.
A Wave Of Assaults That Test A Trust-First Brand
Threat actors have focused extensively on Salesforce environments with pinpoint precision, utilizing social engineering and identity attacks that are pervasive across industries. Victims include international luxury and retail brands, as well as financial and technology companies. The activity was linked by security researchers with Mandiant, as well as Google’s threat teams, to clusters tracked as UNC6395, UNC6040, and UNC6345, while ShinyHunters, an extortion group operated by a member of the cyber-underworld named “Sh1ny,” has claimed credit for segments of the spree.
More organizations reported breaches stemming from the use of a third-party SaaS platform, and the FBI issued a flash warning. Several named Salesforce directly. Security leaders say the roster of affected companies is longer than those that have come forward, and some estimates indicate that the fallout has hit hundreds of companies around the world.
From Phishing to OAuth Abuse in Salesforce Attacks
The early intrusions involved phishy pages that lured users to log in to the Okta single sign-on, then escalated to vishing (spear-vishing calls) where attackers posed as IT and pushed employees toward nefarious login flows. Cory Michal of AppOmni explained how attackers registered lookalike “-okta.com” domains and collected credentials as well as MFA sessions with adversary-in-the-middle toolkits.
The next stage went after Salesforce’s connected-app model. UNC6040 deceived users into granting rogue apps (such as mimics of Data Loader-type utilities) API-level access, resulting in exfiltration of large data sets, according to Mandiant. “In this rich and complex attack surface, we can expect some mismatch between risk projections of SaaS security drivers.” With over 9,000 marketplace apps to extend Salesforce, there are plenty of open doors.
The Drift Tokens Ignite A Crisis Of Confidence
The most damaging twist came with machine-to-machine abuse. Mandiant and Google’s threat team explained how UNC6345 used OAuth tokens acquired from Salesloft’s Drift integration to exfiltrate data from multiple Salesforce environments. BleepingComputer said ShinyHunters had claimed to have taken more than 1.5 billion records from around 760 companies — numbers that could not be independently verified but highlight the scale of risk when tokens are stolen at source.
The tactic follows on from previous rounds of attacks using stolen OAuth credentials harvested from another vendor to pivot into Microsoft 365 tenants. After compromise, tokens are bearer keys unless further controls tie them to a device, certificate, or network boundary.
Salesforce’s Response And Security Gaps Exposed
Salesforce has stressed that it was not breached in a technical sense, but instead customer instances were attacked using phishing and/or vishing, as well as third-party integrations being malicious or compromised. Salesforce reacted by restricting its connected-app stance, reducing end-user installs, and severing a device-based connection route exploited by the attackers. The company is also calling for wider use of IP allow lists.
But critics say the response has been top-heavy on administrative rather than technical solutions. Salesforce terminated access to Salesloft while investigating, but security professionals say firmer token controls can’t come soon enough. Okta’s Brett Winterford cites OAuth 2.0 DPoP and Mutual TLS as already proven methods of binding tokens by cryptographic means to legitimate clients, thereby devaluing stolen credentials. He also says that IP allow-listing for machine-to-machine traffic — although operationally more challenging — can be key, in particular if vendors would provide stable IP lists for automatic whitelisting.
Salesforce customers report that the platform itself does allow for IP-based restrictions on API logins, though this is not configured by default and requires customers to keep a list of vendor IPs up to date.
That’s a heavy burden for overtaxed security teams, and uneven across third-party ecosystems.
Legal And Regulatory Pressure Mounts On Salesforce
At least 14 Salesforce users have filed related suits, and firms representing the plaintiffs are eyeing class-action consolidation. Disclosure filings to state attorneys general — especially in states with strict timing requirements — indicate that the tally of incidents is wider-ranging than public statements acknowledge. Legal experts, including those from Rimon Law such as Joseph Rosenbaum, say that complicated third-party dependencies make breach attribution complex, but not liability for the exposure of consumer data.
The core issue is trust. The adversary’s highway is a vendor ecosystem. Customers want laser-fast controls that limit the blast radius — especially for systems worth milking including sales pipelines, support data, and PII. Administrative guidance is helpful, but the market now wants built-in security that assumes tokens will be stolen and cannot be used beyond official clients and networks.
What Security Leaders Need to Do Now To Reduce Risk
- Lock down connected apps by default, require admin approval for them, and audit scopes.
- Enforce IP allow lists for API integrations where vendor ranges exist, and require partners to publish ranges.
- Rotate your OAuth credentials and terminate grants you no longer use.
- Where feasible, mandate DPoP or Mutual TLS for token binding and pressure vendors to implement these standards.
- Rehearse an incident playbook that provides for quick, third-party isolation without disrupting core business operations.
Restore confidence in Salesforce by transitioning from optional controls to secure-by-default settings, be the curator of ecosystem-wide IP intelligence, and accelerate support for token-binding standards. In the meantime, the company’s story about trust will be seen as less about slogans than how quickly it can pull back this one — and stop the next.