[Security Issue] Salesforce Hacking Attack Results in Multiple Data Breaches

 

Recent hacking incidents involving Salesforce have captured global attention as a prime example of evolving cyber threats. These attacks did not exploit critical vulnerabilities in the Salesforce platform itself. Instead, attackers leveraged sophisticated social engineering techniques to target users within the Salesforce ecosystem. This shift in tactics illustrates how modern cyberattacks are no longer just about breaching technical defenses but manipulating human behavior and system interactions.

Notable victims of these attacks span a range of high-profile organizations, including Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany, and several security-focused SaaS providers such as Cloudflare, Palo Alto Networks, and Workiva.

Voice Phishing as the Main Vector

Unlike traditional email phishing, the Salesforce attacks employed voice phishing (vishing). Posing as IT personnel, attackers directly called employees, urging them to follow “emergency mitigation procedures.” This tactic did not rely on technical naivety but rather exploited psychological pressure, using urgency to override judgment. As a result, even organizations with strong cybersecurity measures could not fully defend against this human-centric threat model. This highlights a critical vulnerability in digital ecosystems: people.

 

OAuth Exploitation and MFA Bypass

Once attackers gained trust via phone calls, they manipulated victims into unintentionally authorizing malicious OAuth applications through Salesforce’s Connected Apps feature. These apps then gained legitimate access to large volumes of sensitive data, such as customer profiles, contact lists, and loyalty program information.

This method allowed attackers to effectively bypass multi-factor authentication (MFA) without exploiting technical flaws in the platform. Instead, they abused legitimate Salesforce features, setting a new precedent for how built-in functionality can be weaponized.

 

 

Data Breaches in Cyber Security Firms: Cloudflare and Palo Alto Networks

The global cybersecurity community took particular interest because even security companies were compromised.

In the case of Cloudflare, attackers did not use vishing. Instead, they conducted a supply chain attack by compromising credentials tied to Salesloft Drift, a third-party service integrated with Salesforce. Cloudflare reported that attackers gained initial access to its Salesforce environment on August 12. A 48-hour reconnaissance phase followed, during which the attackers mapped out the system before initiating a swift data exfiltration operation. In just three minutes, they used Salesforce APIs to steal data and attempted to cover their tracks by deleting the logs.

Another example is Palo Alto Networks. They also suffered a breach linked to the same Salesforce integration (Salesloft Drift). On September 2, they confirmed unauthorized data access that occurred between August 8 and 18. Specifically, attackers used stolen OAuth tokens to infiltrate the company’s Salesforce environment and extract customer contact information, internal sales data, and case records. The motivation behind the attack was credential harvesting. The stolen data was then scanned for passwords and access keys, likely to facilitate further attacks on cloud services like AWS and Snowflake.

 

A Broader Look at the Impact

The widespread nature of the attacks, particularly against cybersecurity companies, suggests a failure not of security infrastructure but of ecosystem-level trust models. These attacks were not driven by zero-day exploits but by abusing trust—whether between employees and IT departments or between companies and their third-party service providers.

Groups like Scattered Spider, Lapsus$, and ShinyHunters have claimed responsibility, showcasing stolen data and ransom gains on Telegram, suggesting the scope of damage may exceed what has been publicly disclosed. The Salesforce hacks demonstrate how attackers are capitalizing on human error, inadequate access control, and insufficient third-party oversight.

Strategic Security Recommendations for Enterprises

The Salesforce data breaches highlight the need for a holistic security strategy that goes beyond firewalls and encryption: businesses must address both technological and human vulnerabilities.

1. Strengthen Security Awareness and Simulated Training
   

   Social engineering attacks like phishing, spear phishing, and vishing, target humans, not systems. Frequent, realistic training helps employees recognize and respond to these threats effectively.

2. Adopt a Zero Trust Architecture
   

   Move away from trust-based access models. Every user, device, and application should be continuously verified—especially in sensitive systems like CRMs. Strict authentication should be enforced for API calls and app approvals.

3. Enhance Identity and Access Management (IAM)
   

   Limit sensitive data access and restrict app authorization rights to administrators only. Real-time monitoring of API access logs is also essential for detecting abnormal behavior and preventing breaches.

4. Combine Technology with Human-Centric Security
   

   Even the most advanced tools are ineffective if misused by people. A balanced approach integrating technical safeguards and security awareness is crucial to building real resilience.

5. Leverage Global Cybersecurity Experts
   

   Penta Security, a top global cybersecurity company, offers a range of defensive solutions based on decades of experience:

• • Data encryption, web application firewalls, and API security to protect digital assets

  • Zero trust-based access control to enhance internal defenses

  • Cloud security solutions for robust, scalable protection

Solutions like WAPPLES (Intelligent Web Application and API Protection), D.AMO (encryption platform), and Cloudbric (Cloud Security SaaS Platform) enable customized protection tailored to each enterprise. Trusted by organizations for nearly 30 years, Penta Security stands as a reliable partner in the evolving cyber threat landscape.

Ultimately, cyber threats today are not just technical and they are deeply human. To protect against them, companies must adopt integrated strategies that cover education, access control, zero trust, and expert cybersecurity solutions.

 

---

 

Click here to subscribe our Newsletter

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D.AMO

Click here for inquiries regarding the partner system of Penta Security

 

Check out the product lines of  Cloudbric by Penta Security:

Cloud-based Fully Managed WAAP: Cloudbric WAF+

Agent based Zero Trust Network Access Solution: Cloudbric PAS

Agentless Zero Trust Network Access Solution: Cloudbric RAS

Click here for inquiries regarding the partner system of Cloudbric