Massive OAuth Abuse Exposes Salesforce Customer Data via Third-Party Integrations
A significant wave of OAuth-related breaches has recently impacted the Salesforce ecosystem, resulting in the exposure of sensitive data from over 700 organizations and affecting nearly 1.5 billion records. The breaches were not due to a direct compromise of Salesforce itself, but rather stemmed from attackers exploiting weaknesses in third-party OAuth integrations connected to Salesforce environments. At the recent Dreamforce conference, Salesforce emphasized security as a shared responsibility and introduced new AI-driven security and compliance agents, but notably did not address the recent OAuth breach incidents that have led to more than 70 lawsuits. Security experts highlighted this omission, noting that the lessons from these breaches are critical for the future of interconnected, AI-driven business platforms. According to Google Threat Intelligence Group, the attackers systematically exported large volumes of data from numerous corporate Salesforce instances by abusing OAuth tokens. These tokens, which are designed to allow secure, delegated access to cloud applications, were leveraged by threat actors to gain persistent, high-privilege access to customer data. Proofpoint researchers have further warned that attackers are increasingly abusing both external and internal OAuth-based applications to maintain access to cloud environments, even after password resets or the enforcement of multifactor authentication. Internal OAuth applications, which are registered within an organization’s own cloud tenant and typically trusted, can be particularly difficult to detect when compromised. Attackers have developed automated toolkits to register malicious OAuth applications with pre-configured permissions, using compromised admin accounts to escalate privileges and maintain persistence. The breaches underscore the risks inherent in SaaS supply chains, where third-party integrations can become a vector for large-scale data exfiltration. Security professionals stress the importance of monitoring OAuth app permissions, regularly auditing third-party integrations, and educating users about the risks of granting excessive access. The incident has prompted calls for greater transparency and proactive security measures from both SaaS providers and their customers. The scale of the breach and the sophistication of the attack methods highlight the evolving threat landscape facing cloud-based business platforms. Organizations are urged to review their OAuth security posture and implement robust controls to mitigate similar risks in the future. The incident serves as a stark reminder that even trusted cloud environments can be compromised through indirect attack vectors, necessitating a holistic approach to cloud security.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CSO highlights security lessons from the Salesloft Drift incident at Dreamforce
A CSO Online article argued that Dreamforce omitted important security lessons tied to the Salesloft Drift incident and Salesforce-related risks. The publication reflects public discussion of the incident and its implications as of 2025-10-22.
Researchers detail abuse of trusted OAuth apps as cloud backdoors
A Help Net Security report described how attackers can weaponize trusted OAuth applications to gain persistent access in cloud environments, highlighting a broader technique relevant to enterprise SaaS security. The article was published on 2025-10-22, which is the best available date from the provided content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Extortion Attacks Targeting Salesforce Customers
A series of extortion attacks have targeted organizations using Salesforce, resulting in the leakage of millions of records. Attackers have exploited vulnerabilities or misconfigurations in Salesforce environments to gain unauthorized access to sensitive customer and business data. Once inside, the threat actors exfiltrated large volumes of information, which they then used as leverage in extortion attempts against the affected companies. The attackers threatened to publicly release or sell the stolen data unless their demands were met, putting significant pressure on the victim organizations. Security experts have highlighted that these incidents demonstrate the growing risk of supply chain and third-party platform attacks, as Salesforce is widely used across industries for customer relationship management. The attacks have raised concerns about the adequacy of security controls and monitoring within cloud-based SaaS platforms, especially when organizations rely heavily on default configurations. In response, security professionals have urged companies to review their Salesforce security settings, implement robust access controls, and monitor for unusual activity. The incidents have also prompted calls for better incident response planning, as organizations must be prepared to act quickly in the event of a breach involving critical business platforms. The extortion group responsible for these attacks has demonstrated technical sophistication, leveraging both technical exploits and social engineering tactics to maximize their impact. The exposure of millions of records has potential regulatory and reputational consequences for the affected organizations, particularly in jurisdictions with strict data protection laws. Security podcasts and news outlets have discussed the technical details of the attacks, the methods used by the extortionists, and the broader implications for cloud security. Experts have also noted that these attacks may inspire copycat incidents targeting other SaaS providers. The events underscore the importance of regular security assessments and employee training to defend against evolving threats. Organizations are advised to stay informed about emerging attack techniques and to collaborate with their SaaS vendors to ensure comprehensive security coverage. The Salesforce extortion attacks serve as a stark reminder of the risks associated with cloud service dependencies and the need for proactive cybersecurity measures.
Mar 21, 2026
Salesforce-Targeted Data Breaches Impacting Google, Workday, and Others via Social Engineering
A coordinated wave of cyberattacks in 2025 targeted organizations using Salesforce’s CRM platform, resulting in significant data breaches at major companies including Google and Workday. Attackers exploited the inherent trust and connectivity of cloud-based CRM systems, focusing on social engineering rather than technical vulnerabilities. Workday confirmed that attackers accessed a database containing business contact information for up to 11,000 corporate customers and 70 million individual user records, with the breach discovered in early August 2025. Google also disclosed that its Salesforce instance used for Google Ads leads was compromised, leading to the theft of over 2.5 million customer records, including business contact details and sales notes for small and mid-sized clients. Cisco and other organizations were also listed among the victims of this campaign. The threat group responsible, identified as UNC6040 and associated with ShinyHunters, used telephone-based social engineering (vishing) to trick employees into granting access or sharing credentials. Attackers convinced targets to use a modified, unauthorized version of the Salesforce Data Loader app, which enabled them to exfiltrate sensitive data from Salesforce environments. Mandiant, working with Google, provided proactive defense recommendations, emphasizing that the attacks did not exploit Salesforce vulnerabilities but rather relied on manipulating end users. The attackers’ tactics included delayed extortion demands, sometimes occurring months after the initial compromise. The breaches highlighted the risks of interconnected cloud services and the importance of robust identity and access management. Security experts stressed the need for organizations to harden their Salesforce and other cloud assets against social engineering. The incidents underscored the growing trend of targeting SaaS platforms through human factors rather than technical flaws. Lessons from these breaches include the necessity of employee training, multi-factor authentication, and vigilant monitoring of third-party integrations. The scale and sophistication of the attacks demonstrated the evolving threat landscape for cloud-based business applications. Organizations are urged to review their incident response plans and ensure that all users are aware of the risks posed by social engineering campaigns. The breaches serve as a warning for enterprises to reassess their security posture around cloud CRM platforms and to implement layered defenses against both technical and human-centric threats.
May 6, 2026
Salesforce Customer Data Exposed via Gainsight Application Breach
Salesforce has detected unusual activity involving Gainsight-published applications connected to its platform, resulting in potential unauthorized access to certain customers' Salesforce data. The company responded by revoking all active access and refresh tokens associated with these applications and temporarily removing them from the AppExchange while the investigation is ongoing. Salesforce emphasized that the incident did not stem from a vulnerability in its core CRM platform, but rather from the external connection established by the Gainsight applications, which are managed directly by customers. Impacted customers have been notified, and Salesforce has advised those needing further assistance to contact their support team. This breach follows a similar pattern to the August 2025 Salesloft incident, where attackers exploited OAuth tokens to access sensitive customer data. While the full scope of the current Gainsight-related breach is still under investigation, the incident highlights the risks associated with third-party integrations and the importance of monitoring external application connections to critical cloud services.
Mar 21, 2026