Breach cyber

Salesforce

Mar 1, 2025 3 min read
Salesforce

Salesforce is facing multiple lawsuits following a cyberattack that exposed customer data due to a breach involving third-party integrations (Salesloft Drift). Attackers stole OAuth tokens from Salesloft’s GitHub in March 2025, later exploiting them to access Salesforce systems in July 2025. The breach led to the theft of personally identifiable information (PII), putting victims at risk of identity theft and fraud. Lawsuits, including a class action led by Staci Johnson, allege Salesforce failed to implement adequate security measures, forcing affected individuals to monitor financial accounts and credit reports. While Salesforce denies platform compromise, the attack impacted major clients like TransUnion (4.5M individuals) and Farmers Insurance (1M customers). Google’s analysis confirmed the attack relied on social engineering, impersonating IT support to trick employees into sharing credentials—no inherent Salesforce vulnerability was exploited. The incident highlights risks in third-party integrations and credential theft.

Source: https://www.theregister.com/2025/09/26/salesforce_class_actions/

TPRM report: https://www.rankiteo.com/company/salesforce

"id": "sal5090350110725",
"linkid": "salesforce",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology/Cloud Services',
                        'location': 'Northern California, USA',
                        'name': 'Salesforce',
                        'type': 'SaaS CRM Vendor'},
                       {'industry': 'Sales Engagement Platform',
                        'name': 'Salesloft',
                        'type': 'Third-Party Vendor'},
                       {'customers_affected': '4.5 million individuals',
                        'industry': 'Consumer Credit Reporting',
                        'name': 'TransUnion',
                        'type': 'Customer of Salesforce'},
                       {'industry': 'Insurance',
                        'name': 'Allianz Life Insurance',
                        'type': 'Customer of Salesforce'},
                       {'customers_affected': '1 million customers',
                        'industry': 'Insurance',
                        'name': 'Farmers Insurance',
                        'type': 'Customer of Salesforce'},
                       {'industry': 'HR/Enterprise Software',
                        'name': 'Workday',
                        'type': 'Customer of Salesforce'},
                       {'industry': 'Retail/Jewelry',
                        'name': 'Pandora Jewelry',
                        'type': 'Customer of Salesforce'}],
 'attack_vector': ['Social Engineering',
                   'OAuth Token Theft',
                   'Third-Party Compromise (GitHub/Salesloft Drift)'],
 'customer_advisories': 'Customers (e.g., TransUnion, Farmers Insurance) '
                        'notified their affected users separately.',
 'data_breach': {'data_exfiltration': 'Yes (OAuth tokens and credentials '
                                      'stolen)',
                 'personally_identifiable_information': 'Yes (names, financial '
                                                        'data, etc.)',
                 'sensitivity_of_data': 'High (PII, credentials)',
                 'type_of_data_compromised': ['PII',
                                              'Credentials (AWS keys, '
                                              'passwords)',
                                              'Access tokens']},
 'date_publicly_disclosed': '2025-07',
 'description': 'Salesforce is facing multiple lawsuits following a '
                'cyberattack that exposed customer data. The breaches involved '
                'the theft of OAuth tokens from the third-party Salesloft '
                'Drift app, leading to unauthorized access to Salesforce '
                'systems. Attackers used social engineering to impersonate IT '
                'support and trick employees into sharing credentials. '
                'Salesforce denies its platform was compromised, attributing '
                'the issue to third-party vulnerabilities. Lawsuits allege '
                'negligence in securing PII, with victims at risk of identity '
                'theft.',
 'impact': {'brand_reputation_impact': 'Significant (lawsuits, media coverage, '
                                       'customer distrust)',
            'customer_complaints': 'Multiple lawsuits filed (15+ cases, '
                                   'including class actions)',
            'data_compromised': ['Personally Identifiable Information (PII)',
                                 'AWS access keys',
                                 'Passwords',
                                 'Snowflake-related access tokens'],
            'identity_theft_risk': 'High (victims required to monitor '
                                   'financial accounts/credit reports)',
            'legal_liabilities': ['Class action lawsuits (e.g., Staci Johnson '
                                  'v. Salesforce)',
                                  'Potential regulatory fines'],
            'systems_affected': ['Salesforce CRM (via third-party integration)',
                                 'Salesloft Drift',
                                 'GitHub repositories']},
 'initial_access_broker': {'entry_point': 'Salesloft Drift GitHub repository '
                                          '(compromised in March 2025)',
                           'high_value_targets': ['AWS access keys',
                                                  'Snowflake tokens',
                                                  'Salesforce OAuth tokens']},
 'investigation_status': 'Ongoing (lawsuits pending; Salesforce denies '
                         'platform compromise)',
 'lessons_learned': 'Third-party integrations (e.g., OAuth tokens) can be '
                    'critical attack vectors; social engineering remains a '
                    'potent threat; proactive customer support and '
                    'transparency are essential during incidents.',
 'motivation': ['Data Theft',
                'Credential Harvesting',
                'Potential Financial Gain (identity theft/fraud)'],
 'post_incident_analysis': {'root_causes': ['Social engineering (IT support '
                                            'impersonation)',
                                            'Inadequate protection of '
                                            'third-party OAuth tokens '
                                            '(Salesloft Drift)',
                                            'Lack of MFA or token rotation '
                                            'policies']},
 'recommendations': ['Enhance third-party vendor security assessments',
                     'Implement multi-factor authentication (MFA) for OAuth '
                     'token access',
                     'Conduct regular social engineering awareness training',
                     'Monitor dark web for stolen credentials/tokens',
                     'Improve incident communication to affected customers'],
 'references': [{'source': 'The Register'},
                {'source': 'Staci Johnson v. Salesforce (Class Action '
                           'Complaint)'},
                {'source': 'Google Threat Intelligence Group Analysis'},
                {'source': 'Salesforce Trust Page',
                 'url': 'https://trust.salesforce.com'}],
 'regulatory_compliance': {'legal_actions': ['Class action lawsuits (e.g., '
                                             'Staci Johnson v. Salesforce)']},
 'response': {'communication_strategy': ['Public notices',
                                         'Media statements',
                                         'Trust page updates'],
              'incident_response_plan_activated': 'Yes (Salesforce offered '
                                                  'support to affected '
                                                  'customers)',
              'remediation_measures': 'Salesforce directed customers to its '
                                      'Trust page for protective steps; denied '
                                      'platform compromise'},
 'stakeholder_advisories': 'Salesforce advised customers to review security '
                           'practices via its Trust page.',
 'title': 'Salesforce Cyberattack Exposing Customer Data via OAuth Token Theft',
 'type': ['Data Breach', 'Unauthorized Access', 'Credential Theft'],
 'vulnerability_exploited': 'Human error (social engineering via impersonation '
                            'of IT support); Stolen OAuth tokens from '
                            'Salesloft Drift'}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.