The last month of headlines have been dominated by an increasing number of data breaches impacting Salesforce customers. These incidents have affected some of the world’s most recognizable brands including Google, Adidas, Chanel, Louis Vuitton, Qantas, and dozens of others across retail, luxury fashion, technology, aviation, and insurance sectors. Unlike traditional platform vulnerabilities, these breaches represent part of a broader trend targeting authentication flows and trust relationships. Similar to recent incidents like the Cyberhaven Chrome extension compromise that exploited OAuth permissions to bypass MFA, or Okta’s multiple authentication bypass vulnerabilities in 2024, these Salesforce attacks demonstrate how threat actors are increasingly focusing on abusing legitimate authentication mechanisms rather than seeking technical flaws in platforms themselves.
This blog represents our analysis of what we know from published reliable sources, combined with insights into how these attacks work and what organizations can do to protect themselves from similar incidents.
What We Know So Far
While investigations continue and additional impacts may still unfold, the release of detailed reports from Google’s Threat Intelligence Group (GTIG) and cybersecurity researchers has provided significant clarity beyond initial disclosures.
The Scale: Multiple High-Profile Organizations Compromised
The breadth of these attacks is staggering. Threat actors have claimed at least 91 victims worldwide, with confirmed compromises spanning virtually every major industry sector. The affected organizations include some of the world’s most recognizable brands:
This cross-industry impact underscores why Salesforce has become such an appealing target. It’s not just one vertical, but a cross-industry aggregation of high-value customer data that sits at the core of business operations for enterprises worldwide.
The Threat: At Least Two Separate Attack Groups
Security researchers have identified two distinct campaigns targeting Salesforce platforms, each run by different attackers with their own methods and data-focused objectives:
| UNC6040 – ShinyHunters Group | UNC6395 | |
Initial Attack | Voice phishing (vishing) calls to employees | Unknown |
Salesforce Compromise | Victims were tricked into authorizing fake “Data Loader” apps during the calls to give persistent access legitimate OAuth processes | Exploited already-compromised OAuth tokens from the Salesloft Drift integration |
Targeted Data | No specific data | Specifically targeted AWS access keys, passwords, and Snowflake tokens |
Objective | Steal customer information to extort organizations | Harvest credentials for downstream attacks |
The Crisis: OAuth Integration
Both the UNC6040 and UNC6395 campaigns succeeded not despite modern security controls, but because of a fundamental architectural flaw that JPMorgan Chase CISO Pat Opet recently identified in his stark warning to the industry. As Opet explained, modern integration patterns are “relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.” These attacks represent the inevitable consequence of what Opet calls an “architectural regression” that has dismantled decades of proven security boundaries.
Traditional security architecture maintained strict separation where “external interaction layers like APIs and websites were intentionally separated from a company’s core backend systems, applications, and data that powered them.”. Both attack campaigns exploited the collapse of this model. In UNC6040’s social engineering attacks, victims weren’t just tricked into giving away passwords—they were manipulated into authorizing direct API access that rendered MFA completely irrelevant. The UNC6395 campaign targeting Salesloft Drift didn’t need to break through security layers at all; they simply hijacked existing OAuth tokens that already had legitimate access rights.
The cruel irony is that while organizations invested heavily in multi-factor authentication, they simultaneously adopted integration patterns that, as Opet warns, “collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources.” OAuth tokens, once granted, operate with implicit trust—there’s no “multi-factor” check when an authorized application requests data.
These weren’t sophisticated zero-day exploits; they were inevitable outcomes of a broken model. As Opet noted, “attackers are now actively targeting trusted integration partners” specifically to exploit OAuth-based access paths. The fundamental problem isn’t that MFA failed—it’s that modern SaaS integration architecture created an entirely separate access pathway where MFA was never designed to operate. Organizations built walls around their front doors while OAuth integrations opened unlimited back doors, and attackers simply walked through them.
The Response: Platform Hardening Without Admitting Fault
Throughout these incidents, Salesforce has maintained that “the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology.” The company has emphasized the shared responsibility model, positioning these breaches as customer-side security failures rather than platform issues.
However, Salesforce has implemented several meaningful security enhancements in response:
Connected App Restrictions
In August 2025, Salesforce announced restrictions on “uninstalled connected apps”—applications that haven’t been formally installed through the AppExchange but can still be authorized by users. Now, specific user permissions (“Approve Uninstalled Connected Apps” and “Use Any API Client”) are required to authorize these applications, creating an additional barrier against social engineering attacks.
Data Loader Authentication Changes
On September 2, 2025, Salesforce eliminated the OAuth Device Flow option for the auto-installed Data Loader app—the same flow that attackers exploited in their social engineering campaigns. Organizations must now use either password authentication or the more secure OAuth Web Server Flow.
While these changes address some attack vectors, they also highlight how the platform’s previous configuration enabled the very attacks that caused widespread breaches.
Next Steps : What Organizations Need to Do.
Based on the attack patterns observed in these campaigns, there are a variety of steps that organizations should take immediately in response , as well as start planning for more strategic changes:
Immediate Salesforce Actions
Comprehensive OAuth Audit
Review all Connected Apps currently authorized in Salesforce environments, removing unused, unrecognized, or suspicious applications immediately.
Permission Review
Restrict the “API Enabled” permission to only essential users who require programmatic access to Salesforce data. Symmetry’s access analysis capabilities can identify users with excessive privileges and help organizations rightsize permissions based on actual usage patterns rather than initial provisioning decisions.
Integration Data Risk Assessment
Evaluate all third-party integrations, based on the sensitivity and volume of data they have access to. Symmetry’s data discovery features can map exactly what sensitive data human and non-human identities can access within Salesforce, including credentials, customer records, and other high-value information that attackers typically target.
IP Restrictions
Implement IP address restrictions for Connected Apps wherever technically feasible to limit access to known, trusted locations.
Employee Awareness
Ensure existing awareness programs specifically address voice phishing scenarios and OAuth consent phishing. Employees need to understand that phone calls requesting system access should always be independently verified.
Long-Term Security Enhancements
OAuth Governance Framework
Establish clear policies requiring approval processes for all new OAuth app authorizations, treating them as security decisions rather than routine IT functions. Understanding the data exposure of users who might authorize applications becomes critical—Symmetry’s visibility into user data access can inform risk assessments for OAuth authorization decisions.
Continuous Data Activity Monitoring (or Data Detection and Response)
Implement monitoring systems that can detect unusual data access patterns, particularly large-scale data exports or access from unfamiliar applications. Symmetry’s operational monitoring can track data access patterns for users whose credentials might be compromised, helping detect when applications are accessing data beyond normal user behavior patterns.
Integration Security Reviews
Conduct regular security assessments of all third-party integrations, including their OAuth permissions, data access patterns, and security postures. Since OAuth applications inherit the data access rights of the users who authorize them, Symmetry’s comprehensive visibility into user data permissions provides crucial context for evaluating the true risk exposure of each integration.
What We Still Don’t Know: Critical Gaps in Understanding
Despite extensive reporting and investigation, several critical questions remain unanswered:
About the Attacks Themselves
- Full Victim Scope: While threat actors claim 91 organizations, the exact number of confirmed breaches remains unclear as many companies use vague language like “third-party CRM” in their disclosures rather than explicitly naming Salesforce.
- Initial Salesloft Compromise: The exact technique used to compromise the Salesloft Drift OAuth tokens has not been disclosed, leaving organizations uncertain about how to prevent similar supply chain-style attacks.
- Relationship Between Campaigns: Whether there is any connection between the campaigns.
About the Impact
- Data Monetization: The extent to which stolen customer data has been sold on dark web markets.
- Credential Usage: How harvested cloud credentials from the UNC6395 campaign have been weaponized for attacks against AWS, Snowflake, and other cloud services.
What Can The Industry Learn From This?
Rethinking API Privilege and Access Control
The 2025 Salesforce incidents expose critical weaknesses in how organizations manage API-based access across their SaaS ecosystems. When users grant OAuth permissions to third-party applications, they’re essentially providing those services the ability to act on their behalf with persistent access to organizational data—often with far broader privileges than necessary for the application’s actual function. The success of both social engineering and supply chain attacks highlights that organizations lack adequate tools and processes for implementing least privilege principles in SaaS integrations. Users need granular controls to limit application access to only the specific data required, rather than the broad permissions that most OAuth implementations currently demand. Equally important is the need for continuous monitoring capabilities that can track how these privileged applications actually use their access, detecting anomalous data retrieval patterns that might indicate compromise or abuse.
Understanding Your Data Exposure
A fundamental challenge revealed by these breaches is that most organizations have limited visibility into what sensitive data—including credentials, API keys, and other authentication materials—is actually stored within their CRM and other SaaS platforms. This blind spot becomes critical when attackers gain authorized access through compromised integrations, as they can immediately identify and extract the most valuable information without triggering traditional security alerts. Tools like Symmetry Systems are addressing this challenge by providing comprehensive data discovery and classification across cloud environments, helping organizations understand their true data exposure and implement appropriate controls based on actual risk rather than assumptions about what data might be at risk.
Practical Solutions to the Supply Chain Crisis Are Already Emerging
While Pat Opet’s call for industry-wide architectural changes may seem daunting, innovative companies like Symmetry are already pioneering solutions through unique deployment models that maintain customer control over data while enabling SaaS functionality. Their approach demonstrates that the OAuth integration crisis isn’t insurmountable—organizations can begin addressing these risks today by gaining better visibility into their data, implementing more granular access controls, and adopting deployment models that preserve security boundaries without sacrificing the benefits of modern cloud services. These emerging solutions prove that responding to the fundamental architectural challenges doesn’t require waiting for industry-wide transformation—proactive organizations can start building more secure integration patterns now.
