Salesforce Data Theft Roundup: Everything You Need to Know


Several big-name Salesforce customers have been targeted by social engineering attacks with attackers claiming affiliation with the well-known hacking group ShinyHunters, aka UNC6240. 

A trend has emerged in reports of the incidents, which often see English-speaking branches of multi-national corporations that use Salesforce voice phished over phone calls to compromise data by downloading an attacker-controlled replica of the Data Loader app. 

Once downloaded, the app grants hackers extensive access, enabling them to query and exfiltrate sensitive data from compromised Salesforce customer accounts. Follow-up extortion attacks have also been reported. 

Many companies do not name Salesforce directly when they reveal the incidents, instead opting for phrasing like “third-party CRM”. With that caveat in mind, here is a roundup of all the incidents we know of so far. 

SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.

Timeline of 2025 Salesforce Customer Hacks

May 23: Adidas publishes a statement revealing that an “unauthorized external party” had obtained “certain consumer data through a third-party customer service provider”. 

The company said that the affected data does not contain passwords, credit card, or any other payment-related information. 

“It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past,” Adidas said. 

Subsequent reporting would link this incident to the Salesforce customer social engineering attacks. 

June 5: Salesforce Ben reports that hackers had stolen large amounts of data by tricking employees at companies into installing a modified version of a Salesforce-related app.

June 16: Salesforce Ben publishes an article outlining how admins can audit connected apps and keep their orgs secure. 

June 30: Australian airline Qantas “detected unusual activity on a third-party platform used by a Qantas airline contact centre”. Later reporting links this to the ShinyHunters campaign. 

July 26: Reports say that Allianz Life had been subjected to a hack whereby a “malicious threat actor gained access to a third-party, cloud-based CRM system” used by the insurance giant. 

The company’s statement on the incident did not name Salesforce, but BleepingComputer wrote that they had learned the attack is “believed to have been conducted by the ShinyHunters extortion group”. 

August 6: We report that fashion giant Chanel had announced in a letter to its clients that the company had fallen prey to a Salesforce data security breach, impacting customers in the United States. The breach was detected on July 25, after hackers infiltrated Chanel’s database, which was hosted at a third-party service provider. 

Pandora is also reported to be among those targeted in a “security attack, where some customer information was accessed through a third-party platform that we use”. 

August 7: Salesforce posts an advisory message, warning customers of social engineering and phishing threats. They stress that the Salesforce platform has not been compromised, and the issue is “not due to any known vulnerability in our technology”. 

August 11: Salesforce Ben reports that Google is among the victims of the Salesforce-related data breaches. Google’s Threat Intelligence Group (GTIG) were believed to be the first to draw attention to ShinyHunters’ known tactics.

August 18: We report that Workday has been targeted in a social engineering campaign, with the attackers gaining access to information from a “third-party CRM platform”. They did not name Salesforce directly in their blog post revealing the incident, but it came amid a wave of data theft attacks against the cloud giant’s customers.

August 19: Salesforce notifies its user base of a hardening of the exploited connected apps functionality, which will automatically disable non-installed connected apps for new users and disable connections that were obtained using the OAuth 2.0 device flow authorization process. 

What To Do With Your Org

The hacking campaign typically involves victims downloading a malicious replica of the Data Loader app. 

Even if you do not believe your data has been breached, now is always a good time to make sure – and audit your connected apps. 

Tom Bassett recently wrote an article for Salesforce Ben outlining how Salesforce administrators can do this. You can read about it here:

READ MORE: A Salesforce Admin’s Guide to Auditing Connected Apps

Amid the wave of social engineering attacks, Salesforce announced that it would be tightening security around the use of connected apps.

Salesforce is taking action by restricting the use of “uninstalled connected apps”, blocking end users from using them. 

In a release that is set to arrive in September, the company will be enacting restrictions on connected apps that have been authorized by a Salesforce user, but have never been installed in the Salesforce org as a configuration.

You can read more about the changes Salesforce is making to tighten security around the use of connected apps here:

READ MORE: Salesforce Hardens Connected Apps Security Amid Social Engineering Attacks

That should cover you on the technical side of things, but it’s worth bearing in mind that this hacking campaign focuses on “social engineering” – meaning the threat arguably comes from human error. 

Adding a new connected app requires elevated permissions, which are typically assigned to a Salesforce administrator. 

One can easily imagine how Salesforce admins, advertising their abilities on LinkedIn, might have been collected and systematically targeted as part of this social engineering campaign.

We have written an article outlining how best to mitigate this type of risk too:

READ MORE: The Biggest Salesforce Security Threat Could Be Right Under Your Nose

Salesforce Help also offers a number of resources on managing connected apps: 

This is an ongoing campaign, and this article will be updated to reflect the latest news. 

Have you been affected by the hack? Email us at tips@salesforceben.com

Leave a Reply

Your email address will not be published. Required fields are marked *