August 26, 2025

Salesforce Breach 2025: Understanding shared responsibility and how Unosecur could prevent the breaches

Table of Contents
Introduction

Multiple organizations were recently hacked through Salesforce, including Google, Adidas, Workday and more, but the Salesforce platform or a technical vulnerability isn’t to blame.

Instead, hackers used social engineering tactics by impersonating IT support over the phone. Employees were tricked into installing a malicious, modified version of Salesforce’s Data Loader app or authorizing access to malicious connected apps. 

Once the hackers gained the necessary access, they were able to steal data from the organizations’ Salesforce environments and, in some cases, move laterally to access additional corporate cloud services and engage in extortion attempts.

Salesforce breach 2025: What happened

Attackers used voice phishing ("vishing") and impersonated IT support staff to trick employees into connecting malicious OAuth applications or fraudulent Salesforce Data Loader tools to their company’s Salesforce environment. This granted hackers access to internal CRM data, typically involving business contact details, sales notes, and related information for small and medium business customers. Google confirmed the breach affected only basic contact information, not financial data or credentials.

Scope and victims

  • Affected companies include Google, Workday, Coca-Cola, Allianz Life, Adidas, Chanel, Qantas, Louis Vuitton, Dior, Tiffany & Co., and more, across many regions.
  • Google’s hack was disclosed in August 2025 but linked to activity in June, involving their Salesforce instance for prospective Google Ads customers.
  • Extortion attempts followed the breaches, with stolen data leveraged in ransom demands, especially by ShinyHunters and associated groups.

Attack methods

  • Social engineering was the main tactic: attackers called employees, impersonated support staff, and convinced them to provide access or install malicious connected apps.
  • The scam often involved connecting to fraudulent versions of tools like Salesforce Data Loader that enabled large-scale exfiltration of CRM data.

Is Salesforce at fault here?

Salesforce is not at fault for these recent data breaches. Most of the companies who made official statements on the breach refrained from naming Salesforce.

According to multiple cybersecurity reports, this wave of attacks did not exploit any technical vulnerability or flaw within the Salesforce platform itself. 

Instead, the attackers used sophisticated social engineering techniques, primarily voice-phishing (vishing), to trick employees into voluntarily granting access to malicious apps or sharing sensitive credentials.

What the experts and Salesforce say

  • No platform vulnerability: There is no evidence of a technical security hole in Salesforce’s software. The intrusions were due to the manipulation of end users, not flaws or weaknesses in Salesforce’s system architecture or code.
  • Shared responsibility: Salesforce emphasizes that cloud security depends on a shared responsibility model. While Salesforce builds enterprise-grade security into the platform, users and organizations must diligently configure permissions, restrict app access, and educate their workforce to recognize and avoid such scams.
  • Salesforce response: Salesforce has issued advisories on defending against social engineering, recommending steps like limiting permissions, enforcing multi-factor authentication, and scrutinizing connected apps.

While Salesforce builds enterprise-grade security into the platform, users and organizations must diligently configure permissions, restrict app access, and educate their workforce to recognize and avoid such scams.

Unosecur makes this simple with first-class native Salesforce connectors as part of our identity fabric.

Most organizations do not have the time or resources to wire these alerts up, and are overburdened with alerts in their CNAPP / SIEM. Unosecur focuses on high-fidelity identity alerts with native Salesforce connectors to ingest these changes at run-time and set off the alarm to cut access or rightsize the permissions.

How Unosecur’s capabilities could have prevented the Salesforce breaches

The breaches mostly involved social engineering or exploitation of third-party/vulnerable cloud access to Salesforce or CRM platforms. Here's how Unosecur's capabilities would mitigate or prevent these:

  1. Against social engineering (Phishing/Vishing):
    • Continuous monitoring of identity behavior (Identity Threat Detection & Response, ITDR) would detect unusual access patterns and flag or block unauthorized app installations or OAuth authorizations.
    • Real-time anomaly flags and rapid quarantine features prevent attacker lateral movement or data exfiltration immediately after entry.
  2. Privilege over-grant and connected app abuse:
    • Continuous least-privilege enforcement would have limited the scope of data accessible to any connected app, reducing exposure if one was fraudulently authorized.
    • Governance over third-party and connected apps would prevent unauthorized or risky OAuth authorizations.
  3. Compromised third-party vendor platforms:
    • Identity governance and supply chain risk controls would enforce tighter security checks on third-party APIs and platforms, limiting access and enforcing stricter identity verification.
    • Anomaly detection across vendor access points would quickly highlight abnormal activity or suspicious access patterns on third-party systems.
  4. Rapid detection and response (ITDR):
    • In scenarios like Google or Qantas, where credential abuse and API exploitation occurred, immediate detection and automated remediation could have cut off attackers’ access within minutes.
    • This drastically minimizes dwell time and attack impact.
  5. Non-human identity management: 
    • Limiting the misuse of machine and service identities (API keys, bots), which are common in cloud platform integrations reduces automated attack vectors and limits attackers’ ability to move laterally.
  6. Reducing attack surface in highly digitalized and cloud-integrated environments:
    • Unosecur’s unified platform would shrink the attack surface created by rapid digital transformation, cloud adoption, and IoT connectivity found in aviation and enterprise environments.
  7. Compliance and audit-ready reporting:
    • Through continuous identity governance, enterprises can more quickly meet regulatory requirements and prove operational security posture during breach investigations.

Don’t be next

The number of top tech organizations falling to these attacks in the past months is staggering. If they’re susceptible, then you might be, too. Try a free identity security risk assessment today and understand your organization’s top identity issues. 

Unosecur is the unified identity fabric layer for securing human and non-human identities (NHI) across hybrid environments, multi-cloud, IdP & SaaS, operating at the heart of the problem for advanced threats in the era of AI: compromised users, NHIs, and sessions.

  • Before an attack occurs: Unosecur helps you minimize your identity attack surface and drastically reduce the potential blast radius should an attack occur.
  • When an attack occurs: An advanced threat detection engine detects even the smallest steps of a smart attacker and enables you to respond and rightsize permissions on the spot.
  • After an attack occurs: Unified identity means Unosecur provides you investigation tools that give you an identity timeline for fast evidence collection and recovery.

You can schedule a demo directly here to speak with one of our identity experts.

Explore our other blogs

Rethinking identity for AI agents and other non-human identities
No items found.
August 28, 2025

Rethinking identity for AI agents and other non-human identities

Read more
Zero Trust 2025: A 30-day identity-first MVP you can launch
No items found.
August 25, 2025

Zero Trust 2025: A 30-day identity-first MVP you can launch

Read more
ABAC vs RBAC: Six practical differences for Zero Trust identity security
No items found.
August 22, 2025

ABAC vs RBAC: Six practical differences for Zero Trust identity security

Read more
View all Blogs

Don’t let hidden identities cost
you millions

Discover and lock down human & NHI risks at scale—powered by AI, zero breaches.