Salesforce breach: What IT leaders must know

Overview of the Salesforce breach

The Salesforce breach isn't necessarily a direct exploit of Salesforce, but an attack against its users and how they access the company's services.

While full details have not been completely disclosed, some clear indications of how the attack progressed are available.

The attackers used a technique known as voice phishing, in which a voice phone call is used to trick users. Through voice phishing calls, attackers impersonated IT support staff and manipulated employees into authorizing malicious OAuth (Open Authorization) integrations within their Salesforce environments. Once connected, these fraudulent applications granted attackers direct access to live customer databases, enabling large-scale data exfiltration without triggering traditional security alerts.

The attackers claim the stolen data included high-value personal information such as names, email addresses, phone numbers, dates of birth, passport numbers, employment histories, loyalty program credentials and internal business records. The group claimed to have compromised approximately one billion records from organizations using Salesforce with third-party integrations such as the Salesloft Drift AI chatbot.

The attacker group identifies itself as Scattered Lapsus$ Hunters and it has connections to other cyberattacker organizations including ShinyHunters, Scattered Spider and LAPSUS$.

The attackers allegedly compromised information from 39 different organizations, including household names such as Cisco, Disney, FedEx, Marriott, McDonald's, Toyota and Walgreens.

The Salesforce breach also exposes a critical weakness in how organizations approach vendor ecosystems. The attackers didn't exploit a vulnerability in Salesforce's core platform; instead, they manipulated human behavior through social engineering.

The attack against Salesforce and its users reflects a fundamental shift in where enterprise data now lives, according to Ira Winkler, CISO and vice president at CYE and former chief security architect for Walmart.

"Nearly every large organization is moving infrastructure and data to SaaS platforms, leaving relatively little value on internal systems, Salesforce is one such high-value target," Winkler said. "Criminals follow the data, they've shifted both targets and tactics toward SaaS providers because that's where valuable information and access now reside."

Timeline of events:

• April 2024 - September 2025: Threat actors conduct phishing campaign targeting Salesforce customers
• Oct. 3, 2025: Scattered Lapsus$ Hunters launches dark web extortion site listing 39 victims
• Oct. 7-8, 2025: Salesforce publicly refuses to pay ransom demands
• Oct. 10, 2025: Extortion deadline passes
• Oct. 12-13, 2025: Group leaks data from six victims: Albertsons, Engie Resources, Fujifilm, Gap, Qantas and Vietnam Airlines

Why this matters to IT leadership

The Salesforce breach exposes a series of critical vulnerabilities in modern enterprise technology strategy including:

Trust and reputation

Exposed personal data erodes customer confidence, triggering attrition and brand damage that takes years to rebuild. For publicly traded companies, breaches often translate directly into stock volatility and shareholder pressure.

Operational risk

CRM platforms are mission-critical infrastructure. The IBM report found nearly all breached organizations suffered operational disruption, with most requiring over 100 days for recovery.

Dave Tyson, CIO at iCOUNTER and former chief information security officer at SC Johnson, PG&E and eBay, captures the core challenge behind the type of supply chain risk that the Salesforce breach represents.

"Any breach is bad, but breaches you cannot control, nor do you have inside information from the breached entity is a nightmare for cyber defenders," Tyson said.

Andy Bennett, chief information security officer at Apollo Information Systems, echoed Tyson's sentiment.

"The complete lack of control over how to handle and mitigate the incident that is actually happening outside your organization is vastly different from handling an incident in your own systems," Bennett said.

Regulatory exposure

Organizations must deal with mandatory notifications, regulatory investigations and heightened scrutiny. There is also the risk of fines from compliance regulations, such as  GDPR and CCPA, which can carry substantial penalties and enable class-action lawsuits.

Supply chain risk

The Salesforce breach underscores that the attack surface now extends through every vendor integration. Compromised OAuth tokens can provide attackers with persistent access and lateral movement capabilities across connected systems.

Risks to the Company

The Salesforce breach creates four interconnected threat vectors that compound organizational risk.

1. Data theft and fraud

The Salesforce breach exposed personal information including names, emails, phone numbers, dates of birth, passport numbers and employment histories. That type of personally identifiable information (PII) provides cybercriminals with tools for identity theft, financial fraud and targeted social engineering.

"Ongoing secondary attacks using the stolen data are also a major concern," Bennett said. "Attackers could now convincingly approach you as a client, as a provider, or even as someone working on the incident."

2. Business continuity

Organizations require an average of 241 days to identify and contain breaches, according to the 2025 IBM Cost of a Data Breach report. During investigation and remediation, IT teams must restrict access, implement additional authentication, and limit functionalities. For Salesforce-dependent organizations, these restrictions can halt revenue-generating activities.

"CRMs, ERPs and other enterprise systems create huge risks and complexities to understand which data has been lost, what the implications are, and how it could be used against you or your customers," Tyson said. " Loss of proprietary information creates business impact, competitive data exposure can create customer frustration and difficult sales conversations on pricing and terms, and technical data loss can bring the attackers back over and over when the data is resold in the darknet year after year."

3. Reputational damage

Customer attrition, investor scrutiny and negative media coverage can lead to reputational damage and brand erosion. Breaches can also derail executive succession strategy when board members question leadership competence, potentially disrupting IT succession planning at critical junctures.

While difficult to quantify, reputational damage often represents an enduring consequence, affecting customer retention and competitive positioning long after technical remediation is complete. However, with a third-party incident like this one, Winkler noted that somewhat Ironically, when a breach involves a major SaaS provider, reputational damage to the impacted organization is often minimal.

"Even if our employees fall victim to phishing, the public and media tend to blame the provider," Winkler said. "A breach is still a breach, but the level of concern depends on how much data is exposed and how sensitive it is."

4. Financial implications

Data breaches incur multiple types of costs. Direct costs include forensic investigations, legal counsel, regulatory fines, breach notifications, credit monitoring and settlements. Indirect costs include lost revenue, decreased retention, elevated insurance premiums and long-term brand valuation impact.

With a third-party incident like this one it can be difficult to initially lock down what the actual financial impact will be.

"Remediation costs and identifying the realistic liability to your customers associated with a breach of your data through a third party can be hard to pin down." Bennet said.

Next steps for leadership

As is the case with any data breach responding effectively to the Salesforce breach requires both immediate tactical actions and strategic long-term initiatives.

Consider mitigating IT leadership risks related to the breach with the following steps:

Immediate assessment

Organizations must move quickly to understand breach impact and exposure in the first 24-72 hours.

Winkler focuses on attack mechanics as part of the immediate assessment phase. His top three priorities in the first 24 to 72 hours are:

• Understand the nature of the mechanics of the breach.
• Identify which identities were compromised.
• Determine the scope of the incident and the type of data affected.

Bennett prioritizes regulatory compliance as part of his plans for immediate assessment. He noted that he would look to understand any regulatory obligations the company has related to the breach. For example: is it necessary to file a notice with the SEC based on the company’s home state or the states the clients live in?

Tyson emphasizes ecosystem visibility to better understand the whole scope of the incident.

"Gather as much information as you can about the event from the view of the third party, the attacker, other victims and your own internal systems with two-way connections," Tyson said. "Understand what other organizations have been impacted by the event and scrutinize their connections to you; if they are impacted, the problem can come to you through them because not all organizations have robust security programs."

Strengthen technical controls

There are also some immediate actions that organizations can take to improve technical controls. Immediate actions include requiring multi-factor authentication for all Salesforce users, reviewing and revoking OAuth tokens, implementing stricter approval processes for integrations and deploying enhanced monitoring,

"What is needed now is active ecosystem compromise monitoring, to ensure you can get in front of the active compromises," Tyson said. "The days of scorecards and posture scores being relevant are long in the past."

Address the human element

This breach exploited human behavior rather than technical vulnerabilities. Employees need training to understand that legitimate IT support never requests OAuth codes over the phone or pressures them to act urgently without verification. Organizations should implement clear verification procedures where employees independently confirm unexpected requests through official IT channels.

Organizations must also prioritize IT knowledge transfer to ensure multiple team members understand OAuth authorization processes and can recognize social engineering attempts.

Prepare for crisis response

Organizations should review incident response plans to address third-party platform compromises, clearly defining roles, escalation procedures, and communication strategies for multiple audiences.

"Understanding the potential impact of a SaaS or CRM data leak should be built into an organization's overall risk exposure and quantification efforts," Winkler said. "The type of data, the industry and the scale of the breach all influence the cascading risks that follow. All of this should be proactively addressed through continuous cyber risk quantification and mitigation planning."

Transform third-party risk management

Traditional approaches for third-party risk management are not enough for the current threat landscape.

Tyson calls for fundamental change, with a paradigm shift in thinking about IT risk management for third-party technologies.

"Checklists, posture assessments and compliance reports are for managing the risks of the early 2000s," Tyson said. "In an AI-enabled world where speed to attack has evolved from months to weeks to days, you have to treat your entire ecosystem as part of your attack surface."

Looking at practical guidance, Bennett recommends the following:

• Check and double-check security configurations regularly.
• Understand what type and how much data are given to third parties.
• Periodically review all third-party add-ons and connections.
• Make access reviews and cleanup common practices, not just once-a-year checkups.
• Push SaaS vendors to make security features available by default, not as paid premium features.

 Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.