Salesforce Data Theft Roundup: Everything You Need to Know : Ross Collie
by: Ross Collie
blow post content copied from Salesforce News | Salesforce Ben
click here to view original post
**Summary of Salesforce Data Theft Incidents** Recent social engineering attacks have targeted well-known Salesforce customers, allegedly linked to a hacking group called ShinyHunters (also known as UNC6240). These attacks primarily involve English-speaking branches of multinational corporations using Salesforce, where attackers deceive employees into downloading a malicious replica of the Data Loader app. This compromised app provides hackers with extensive access to sensitive customer data stored in Salesforce accounts. Many companies affected by these attacks have refrained from naming Salesforce directly, referencing it instead as a "third-party CRM." Key incidents include: - **May 23**: Adidas reported unauthorized access to consumer data via a third-party service provider. - **June 5**: Reports emerged of large data thefts linked to compromised Salesforce-related apps. - **June 30**: Qantas detected unusual activity linked to this hacking campaign. - **August 6**: Chanel confirmed it was a victim of a data breach involving customer information. - **August 11**: Google acknowledged being targeted in these recent data breaches. Salesforce has responded by tightening security around connected apps to prevent further incidents. They emphasize that their platform itself has not been compromised and urge all administrators to review and secure their connected apps proactively. **Additional Context:** The ongoing nature of these attacks highlights the importance of cybersecurity awareness, especially regarding social engineering tactics. Organizations are encouraged to audit their connected apps and implement strict permission controls to mitigate risks. **SEO Hashtags:** #Salesforce #DataSecurity #Cybersecurity #SocialEngineering #ShinyHunters #DataBreach #CRM #SalesforceSecurity #CyberAttacks #DataProtection #SalesforceAdmins
Several big-name Salesforce customers have been targeted by social engineering attacks with attackers claiming affiliation with the well-known hacking group ShinyHunters, aka UNC6240.
A trend has emerged in reports of the incidents, which often see English-speaking branches of multi-national corporations that use Salesforce voice phished over phone calls to compromise data by downloading an attacker-controlled replica of the Data Loader app.
Once downloaded, the app grants hackers extensive access, enabling them to query and exfiltrate sensitive data from compromised Salesforce customer accounts. Follow-up extortion attacks have also been reported.
Many companies do not name Salesforce directly when they reveal the incidents, instead opting for phrasing like “third-party CRM”. With that caveat in mind, here is a roundup of all the incidents we know of so far.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
Timeline of 2025 Salesforce Customer Hacks
May 23: Adidas publishes a statement revealing that an “unauthorized external party” had obtained “certain consumer data through a third-party customer service provider”.
The company said that the affected data does not contain passwords, credit card, or any other payment-related information.
“It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past,” Adidas said.
Subsequent reporting would link this incident to the Salesforce customer social engineering attacks.
June 5: Salesforce Ben reports that hackers had stolen large amounts of data by tricking employees at companies into installing a modified version of a Salesforce-related app.
June 16: Salesforce Ben publishes an article outlining how admins can audit connected apps and keep their orgs secure.
June 30: Australian airline Qantas “detected unusual activity on a third-party platform used by a Qantas airline contact centre”. Later reporting links this to the ShinyHunters campaign.
July 26: Reports say that Allianz Life had been subjected to a hack whereby a “malicious threat actor gained access to a third-party, cloud-based CRM system” used by the insurance giant.
The company’s statement on the incident did not name Salesforce, but BleepingComputer wrote that they had learned the attack is “believed to have been conducted by the ShinyHunters extortion group”.
August 6: We report that fashion giant Chanel had announced in a letter to its clients that the company had fallen prey to a Salesforce data security breach, impacting customers in the United States. The breach was detected on July 25, after hackers infiltrated Chanel’s database, which was hosted at a third-party service provider.
Pandora is also reported to be among those targeted in a “security attack, where some customer information was accessed through a third-party platform that we use”.
August 7: Salesforce posts an advisory message, warning customers of social engineering and phishing threats. They stress that the Salesforce platform has not been compromised, and the issue is “not due to any known vulnerability in our technology”.
August 11: Salesforce Ben reports that Google is among the victims of the Salesforce-related data breaches. Google’s Threat Intelligence Group (GTIG) were believed to be the first to draw attention to ShinyHunters’ known tactics.
August 18: We report that Workday has been targeted in a social engineering campaign, with the attackers gaining access to information from a “third-party CRM platform”. They did not name Salesforce directly in their blog post revealing the incident, but it came amid a wave of data theft attacks against the cloud giant’s customers.
August 19: Salesforce notifies its user base of a hardening of the exploited connected apps functionality, which will automatically disable non-installed connected apps for new users and disable connections that were obtained using the OAuth 2.0 device flow authorization process.
What To Do With Your Org
The hacking campaign typically involves victims downloading a malicious replica of the Data Loader app.
Even if you do not believe your data has been breached, now is always a good time to make sure – and audit your connected apps.
Tom Bassett recently wrote an article for Salesforce Ben outlining how Salesforce administrators can do this. You can read about it here:
Amid the wave of social engineering attacks, Salesforce announced that it would be tightening security around the use of connected apps.
Salesforce is taking action by restricting the use of “uninstalled connected apps”, blocking end users from using them.
In a release that is set to arrive in September, the company will be enacting restrictions on connected apps that have been authorized by a Salesforce user, but have never been installed in the Salesforce org as a configuration.
You can read more about the changes Salesforce is making to tighten security around the use of connected apps here:
That should cover you on the technical side of things, but it’s worth bearing in mind that this hacking campaign focuses on “social engineering” – meaning the threat arguably comes from human error.
Adding a new connected app requires elevated permissions, which are typically assigned to a Salesforce administrator.
One can easily imagine how Salesforce admins, advertising their abilities on LinkedIn, might have been collected and systematically targeted as part of this social engineering campaign.
We have written an article outlining how best to mitigate this type of risk too:
Salesforce Help also offers a number of resources on managing connected apps:
This is an ongoing campaign, and this article will be updated to reflect the latest news.
Have you been affected by the hack? Email us at [email protected]
The post Salesforce Data Theft Roundup: Everything You Need to Know appeared first on Salesforce Ben.
August 21, 2025 at 09:00PM
Click here for more details...
=============================
The original post is available in Salesforce News | Salesforce Ben by Ross Collie
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment