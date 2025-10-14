Salesforce clients have seen a significant increase in targeted attacks this year, with several high-profile organizations affected. IBM® X-Force®, an IBM elite team of hackers, incident responders and threat intelligence analysts has been tracking these events. The expert analysis by the X-Force Threat Intelligence team integrates telemetry from IBM security operations, research, incident response investigations, commercial data and open sources. This analysis provides insight to help understand these attacks and their impact.
While these incidents underscore the evolving sophistication of threat actors, it’s crucial to understand that the platform Salesforce itself has not been breached. Instead, attackers are targeting vulnerabilities in the broader ecosystem, primarily through human manipulation and trusted integrations.
This trend highlights a critical truth: the most vulnerable aspect of any system is often not the technology itself, but the people and processes surrounding it. It also emphasizes the importance of the shared security responsibility model between Salesforce and its users.
Recent compromises have largely leveraged two main approaches.
Threat actors such as the notorious ShinyHunters and UNC6040 did not directly breach Salesforce. Instead, they exploited trust by impersonating IT support in voice phishing (vishing) calls.
They persuaded high-privilege users to install malicious applications or authorize fraudulent connected apps, often rebranded as legitimate tools such as My Ticket Portal, a replica of Salesforce Data Loader.
These malicious apps granted persistent OAuth tokens, which bypassed multi-factor authentication (MFA) and allowed for extensive data exfiltration. This campaign targeted English-speaking branches of multinational corporations that use Salesforce.
Confirmed victims include Google, Allianz Life, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas, Qantas, Chanel and Farmers Insurance. Google’s breach alone exposed approximately 2.55 million records of prospective Google Ads customer information.
In a distinct campaign, threat actors, tracked as UNC6395 by Google’s threat intelligence team, abused OAuth tokens linked to the third-party AI chatbot Salesloft Drift.
This exploitation allowed attackers to conduct extensive database queries and extract data from hundreds of Salesforce customer instances. The campaign was initially thought to impact organizations limited to the Drift integration, but the scope later expanded to other Salesforce customers, including workspace customers and cybersecurity firms.
Security firms Proofpoint, SpyCloud, Tanium and Tenable confirmed that information in their Salesforce instances was compromised. Other affected companies include Cloudflare, Palo Alto Networks and Zscaler. Following the expanded scope of compromise, Salesforce disabled all integrations with Salesloft, including the Drift app.
The global, cross-industry impact of these breaches affects over 700 organizations. Attackers target Salesforce due to the platform’s high connectivity and the volume of sensitive personal and commercial information that it contains. The impact of these breaches includes:
These incidents underscore several critical points for organizations that use cloud platforms, as reinforced by the expertise of the IBM’s X-Force Threat Intelligence team:
Building on the insights from IBM’s X-Force, we offer the following recommendations to help organizations mitigate these evolving threats. To remain resilient, organizations must adopt a comprehensive and proactive security strategy:
By prioritizing these actions, organizations can significantly reduce risk and ensure that their Salesforce implementations remain secure and resilient in an increasingly complex threat landscape. By prioritizing these actions, organizations can significantly reduce risk, as prevention is typically less costly than recovery.
IBM Consulting® has a full spectrum of services designed to secure and optimize your Salesforce environment. Our experts help organizations improve security and meet compliance by evaluating custom code, AI integrations, user permissions and connected applications.
IBM’s Rapid Salesforce Security Assessment provides an understanding of the potential threats and compliance gaps within your Salesforce configuration, along with a prioritized set of actionable recommendations. IBM offers continuous real-time threat detection response and proactive application, data and AI security services to mitigate any threats against these critical business assets.
IBM Intelligent Delivery Suite for Salesforce (SFIDS) is IBM’s suite of Salesforce-specific, role-based AI assistants that accelerate delivery from solution design through testing embedded in the IBM Consulting Advantage platform.
SFIDS recommends best practices, configuration-first solutions by reasoning over Salesforce’s official knowledge base (50,000+ help documents, release notes, developer and architecture guides) alongside IBM’s trusted templates and delivery patterns. This distinctive, legally authorized use of Salesforce best practices makes SFIDS a transformative asset for Salesforce implementation quality and consistency.
Teams use the solution advisor to turn requirements into a clear configuration strategy (not just a feature list), then export user stories and test cases aligned to that strategy. SFIDS steers teams toward native platform features and capabilities and codifies guardrails in stories and test cases. This approach results in a more secure, sustainable Salesforce platform with a smaller custom footprint and lower ongoing risk.
IBM Consulting can also help clients configure and customize Salesforce Shield, delivering secure, scalable solutions that support long-term success and resilience in multi-cloud environments.
