Hackers Are Targeting Your Salesforce: What You Need to Know

This summer, a troubling pattern emerged: hackers are breaking into corporate Salesforce accounts at some of the biggest brands in the world. Google, Louis Vuitton, Dior, Chanel, Allianz Life, Qantas Airlines, and more have all confirmed Salesforce-related breaches. And while you might assume the problem is with Salesforce itself, it’s not.

The real issue? Old-fashioned social engineering—updated with clever twists.

“This is not happening because of a vulnerability in the Salesforce platform. It’s happening because they’re using simple social engineering tactics—voice phishing. They’re stealing passwords and MFA codes,” shared Sherri Davidoff, founder of LMG Security.

In other words, attackers don’t need zero-day exploits when they can simply call your employees and trick them into opening the door. Let’s dive into this issue and what you can do to protect your organization. You can also watch a Cyberside Chats video or podcast on this topic.

How These Attacks Work

The recent Salesforce breaches weren’t “hacks” in the traditional sense. Instead, cybercriminals used targeted voice phishing (“vishing”) calls to employees with elevated Salesforce access. They researched targets on LinkedIn or corporate org charts, then posed as IT support.

During these calls, attackers directed employees to fake login portals—sometimes mimicking Okta or Salesforce itself. The goal? To trick them into authorizing a malicious connected app.

As Matt Durrin, LMG’s Director of Training and Research, explained:

“They’re getting them to authorize an API-based app that gives them access to the portal with whatever user permissions that user tends to have. And in a lot of cases, users are overprovisioned, so attackers can basically siphon the entire database out.”

In one case Google reported, attackers pulled about 10% of records before being cut off. But in other incidents, like the Allianz Life breach, hackers stole 2.88 million customer records.

Why This Matters

At first glance, the stolen data—names, emails, billing details, and even frequent flyer numbers—may not seem catastrophic. But aggregated at scale, it becomes a powerful weapon for phishing, extortion, and fraud.

“Even if you don’t think the data in your Salesforce instance is super sensitive, you may still have to announce a breach to your customers if it gets hacked. That alone causes reputational damage and potential lawsuits,” Davidoff explained.

Research backs this up. The 2025 Verizon Data Breach Investigations Report notes that social engineering attacks now account for over 17% of breaches, making them one of the fastest-growing causes of corporate compromise. Extortion groups like ShinyHunters and Scattered Spider are fueling this surge, often overlapping in operations.

Parallels to Snowflake

If this sounds familiar, you’re not imagining things. The Salesforce hacks echo the 2024 Snowflake incidents, in which criminals compromised corporate accounts—not the Snowflake platform itself.

The big difference? With Snowflake, many victims hadn’t even enabled MFA. With Salesforce, attackers expected MFA and went after it directly, stealing codes through social engineering.

That’s why relying on basic MFA is no longer enough.

Why MFA Isn’t Enough

For years, “enable MFA” has been the gold standard of advice. But hackers are catching up. They’ve adapted their playbooks to bypass text-message or email-based MFA codes through real-time phishing.

“I’m a little stressed out because MFA is not enough. A lot of people have just finally gotten comfortable with MFA, and now we’re saying—sorry, that’s not enough. You need phishing-resistant MFA,” Matt Durrin, Director of Training and Research for LMG Security, shared.

The solution is passkeys or hardware tokens. Passkeys use public/private key encryption tied to biometric checks like fingerprints or facial recognition. They’re both faster and safer than passwords—Google found logins with passkeys were 15% faster than using usernames and passwords.

The Risks of Overprovisioning

Another theme across Salesforce breaches is overprovisioned accounts. Too many users have access to far more data and permissions than they need. That turns a single successful phish into a full-scale breach.

This is where the principle of least privilege becomes critical. Restrict Salesforce and connected app access to only what’s strictly necessary and regularly audit permissions.

“If privileges are removed, it’s not punishment. It’s minimizing risk for them and for your organization,” Davidoff noted.

How to Detect and Contain Salesforce Breaches

Even with the best defenses, assume attackers may eventually get in. What matters is how quickly you can detect and contain an intrusion.

Salesforce offers tools like Salesforce Shield, which can flag unusual data exports or logins. You should configure alerts for large downloads, unusual API calls, or logins from unexpected IP addresses.

And practice containment in advance. “It’s not just about resetting the password. You have to kill active sessions. You have to revoke tokens. Hackers are moving beyond the password,” Durrin noted.

That means rehearsing rapid response on SaaS systems—just like you would for ransomware on your network. Tabletop exercises should cover revoking OAuth tokens, disabling compromised accounts, and locking down connected apps.

Key Takeaways: Protecting Your Salesforce (and Other SaaS Apps)

Here are the top lessons you can apply right now to defend your Salesforce instance—and any other cloud platform:

1. Adopt phishing-resistant MFA.
   Traditional MFA (like SMS or email codes) isn’t enough anymore. Move toward phishing-resistant options like passkeys or FIDO2 keys, which are faster, easier for users, and more secure.
2. Train your team to resist vishing and social engineering attacks.
   Hackers are calling employees directly, posing as IT support, and tricking them into authorizing malicious connected apps. Include voice phishing and deepfake scenarios in security awareness training, and teach employees how to verify or “de-authenticate” callers on the spot. We find the combination of cybersecurity awareness training and social engineering tests delivers the best risk reduction.
3. Monitor for abnormal data exports.
   Use Salesforce Shield or equivalent tools to alert on unusual downloads, large exports, or suspicious API activity.
4. Lock down your Salesforce (and other SaaS apps).
   Limit who can install connected apps, enforce the principle of least privilege, and consider IP-based access restrictions. Preventing unnecessary connected apps would have stopped many of these breaches.
5. Rehearse rapid SaaS containment.
   Make sure your team knows how to revoke OAuth tokens, disable accounts, and kill active sessions Resetting a password isn’t enough if attackers are using tokens or API keys. Practice these steps in tabletop exercises and add them to your playbooks.

Final Thoughts

Hackers don’t need to exploit zero-days when they can trick your employees into handing over the keys. Salesforce breaches at global giants like Google and Allianz prove that no organization is immune.

The good news? You can defend against these attacks with layered strategies: phishing-resistant MFA, regular user training, permission audits, and strong detection and response capabilities.

As Sherri summed it up: “Your SaaS platforms are a target. Talk to your team. Make sure accounts are not overprovisioned and expect hackers to go after them.”

If you need help with social engineering training or technical testing, please contact us. Our expert team is ready to help!