Case Study: The 2025 Salesforce CRM Breach Wave

Google, Air France/KLM, Workday and TransUnion – When Third-Party SaaS Becomes the Weakest Link leading to Salesforce CRM Breach

Salesforce CRM Breach

Why Salesforce CRM Breach case matters

In mid–2025, a coordinated cyber campaign hit dozens of major enterprises by targeting their Salesforce CRM environments and connected apps, not their core networks.

Victims named in public reporting include Google, Air France–KLM, Workday, TransUnion, plus brands like Adidas, Allianz Life, Qantas, Disney, UPS and others.

Attackers:

  • Used social engineering (vishing/SMS) to trick employees and support staff
  • Abused OAuth apps, access tokens and API permissions to gain API-level access to Salesforce tenants
  • Exfiltrated hundreds of millions of customer/contact records, later claiming nearly 1 billion records stolen from ~39–40 companies.

Salesforce repeatedly stated that its core platform wasn’t breached; instead, customers’ environments and integrations were compromised.

From a risk-management perspective this is a classic third-party / SaaS supply-chain failure: the platform is “fine”, but the combination of trusted integrations + human error + weak tenant controls creates systemic exposure.

Salesforce CRM Breach: Threat actors and campaign overview

Multiple sources attribute this wave to a loosely aligned cybercrime “super-group” often called Scattered LAPSUS$ Hunters – a coalition of actors linked to ShinyHunters, Scattered Spider, and Lapsus$.

Key characteristics of the campaign:

  • Target: Salesforce customer tenants, not Salesforce’s own core infrastructure
  • Vector: Social engineering (vishing, SMS, fake IT/HR contacts), then malicious OAuth / connected apps
  • Access: Abuse of OAuth tokens and API access to pull data via legitimate Salesforce APIs
  • Motive: Data theft + extortion, with dark-web leak sites used for pressure

Reuters summarized it starkly: the group claimed to have stolen nearly one billion Salesforce records by targeting clients via social engineering and manipulated tools such as a Trojanised Data Loader, not by exploiting a direct Salesforce vulnerability.

Salesforce CRM Breach: How the attacks actually worked

Across Google, Air France/KLM, Workday, TransUnion and others, the pattern is consistent:

3.1 Social engineering phase

  • Attackers called or texted employees, impersonating internal IT or support staff, and tricked them into:
    • Approving malicious connected/OAuth apps
    • Entering one-time codes from MFA prompts
    • Installing or authorising tainted tools such as fake versions of Salesforce Data Loader or integrations like Drift/Salesloft.
  • This allowed attackers to obtain legitimate OAuth tokens and session cookies – effectively bypassing MFA without needing passwords.

3.2 OAuth / API abuse

Once they had trusted OAuth tokens or a connected-app foothold:

  • Threat actors used Salesforce APIs (and APIs from integrated tools) to systematically pull large datasets of contacts, leads, cases, and other CRM objects.
  • In some analyses, the breach is explicitly linked to excessively broad or misconfigured OAuth scopes and API permissions that allowed the apps to read far more data than strictly necessary.

Security write-ups describe this as an OAuth / API supply-chain attack: instead of breaking in, the attackers borrow the victim’s own app trust relationships to move data out “legitimately”.

Salesforce CRM Breach: Concrete victim snapshots

4.1 Air France / KLM – loyalty and contact-center data

In July–August 2025, Air France and KLM disclosed a breach linked to a third-party customer-service / CRM tool used in their contact centers reported by several outlets as part of the Salesforce-focused campaign.

Data exposed included:

  • Customer names
  • Contact details (email, phone)
  • Flying Blue loyalty program numbers and tier levels
  • Email subject lines relating to customer support requests

They stated that no payment cards, passwords, passports or loyalty miles were compromised.

Risk-management angles:

  • Airline contact-center CRM as a critical third-party system
  • Concentration risk: both airlines share the same environment and vendor
  • Reputation risk in a heavily regulated, customer-sensitive sector

4.2 Google – internal Salesforce environment targeted

Threat-intel write-ups describe a specific Google Salesforce breach attributed to UNC6040 / ShinyHunters:

  • Attackers used advanced social engineering + OAuth abuse to gain access to a Salesforce environment within Google’s corporate infrastructure.
  • No evidence of a direct Google Cloud or core Google system compromise – this was about CRM and customer-related data.
  • Data was described as including business contact records and case data, which could be weaponised for targeted phishing and extortion even if it wasn’t the most sensitive internal IP.

Google’s own threat-intelligence team then went public, warning that this was part of a larger SaaS ecosystem campaign, not a one-off.

4.3 Workday – third-party CRM breach

In mid-August 2025, Workday confirmed a breach tied to a “third-party CRM platform”, widely reported as Salesforce:

  • Attackers impersonated HR / IT personnel via text and phone, tricking employees into granting access.
  • Data exposed: business contact details – names, email addresses, phone numbers, and other customer/prospect contact info. Workday stressed that core tenant data and HR/financial records were not affected.

Analysts and media framed this as proof of weak third-party SaaS governance: a company that sells cloud software itself was hit because of a less-controlled external CRM connector.

4.4 TransUnion – credit-reporting data via Salesforce app

TransUnion disclosed a breach affecting about 4.46 million individuals in the US, first dated to July 28, 2025.

Key points:

  • The incident was explicitly linked by commentators to the same Salesforce-centered attack wave impacting Google, Air France–KLM, Allianz Life, Workday and others.
  • Data types included: names, addresses, phone numbers, birth dates, partial Social Security information and other identity data—highly valuable for fraud.
  • TransUnion pointed to a third-party application as the entry point; Salesforce itself again stated its core platform was not compromised.

This is particularly serious because TransUnion is a credit-reporting agency; exposure of even partial SSNs and identity attributes significantly increases identity-theft and fraud risk.

Salesforce CRM Breach: Scale of the breach wave

Various sources piece together the scale:

  • Reuters: group “Scattered LAPSUS$ Hunters” claimed almost 1 billion Salesforce records stolen from ~40 organizations.
  • SecurityWeek: hackers listed brands including Air France/KLM, Google, TransUnion, UPS, Workday on their leak site.
  • Gurucul’s threat-intel blog broke down the attackers’ claim into hundreds of millions of account, contact, case and opportunity records from the Salesforce ecosystem.
  • Multiple security firms describe it as a “Salesforce Breach Wave of 2025” or a “massive OAuth supply-chain breach”.

Even allowing for attacker exaggeration, independent confirmations (Workday, Air France/KLM, TransUnion, Allianz, others) show this was one of the largest SaaS-ecosystem data-theft campaigns to date.

Salesforce CRM Breach: Root cause themes

6.1 Social engineering of humans, not bypass of Salesforce code

FBI-style indicators and vendor blogs agree:
the primary “exploit” was trust in people and processes, not a Salesforce zero-day.

  • Attackers impersonated IT/support staff (vishing)
  • Convinced staff to approve malicious apps or relay codes
  • Once an app/token was trusted, they could skip traditional login paths entirely.

6.2 Over-permissive or misconfigured OAuth / API access

Technical analyses emphasize:

  • OAuth scopes and API permissions on connected apps were broad enough to allow mass read access to objects like Contacts, Accounts, Cases, Opportunities.
  • In some environments, API Access Control and app-approval workflows were not enforced, so once a token was obtained, there were few internal barriers to bulk export.

FireCompass, Sangfor and others explicitly mention “exploited API vulnerabilities and possibly misconfigured permissions” as key amplifiers of the attack’s impact.

6.3 SaaS supply-chain and integration risk

The campaign also rode on third-party app chains:

  • Compromising tools like Drift, Salesloft, Gainsight or Data Loader clones provided OAuth tokens into multiple Salesforce tenants at once.
  • This turned one vendor’s compromise into a multi-customer, multi-industry breach.

This is a pure SaaS supply-chain problem: each extra integration multiplied the blast radius.

6.4 Weak monitoring and anomaly detection in SaaS

For many victims, the first clear sign of trouble came after data was already stolen, when:

  • Attackers began extortion on leak sites
  • Or vendors like Salesforce/Google/Mandiant notified them based on threat-intel.

This suggests:

  • Insufficient anomaly monitoring on Salesforce API usage (e.g., huge exports from unusual IPs)
  • Limited visibility into app-to-app access and OAuth token behavior

Salesforce CRM Breach: Impact analysis

7.1 Data types exposed

Across victims, stolen data included:

  • Customer and loyalty names, emails, phone numbers (Air France/KLM, Qantas, Allianz, others)
  • Business contact and prospect information (Workday, Google)
  • Identity attributes including addresses, dates of birth, partial SSNs (TransUnion, Allianz Life)
  • Case/interaction histories, potentially revealing complaints and customer-service issues.

While not always involving credit card data, the PII volume and richness make it extremely valuable for:

  • Identity theft
  • Sophisticated phishing
  • Long-term profiling and social engineering

7.2 Regulatory, legal and reputational fall-out

  • Salesforce faces at least 14 lawsuits in Northern California federal court tied to these attacks, with plaintiffs arguing it failed to detect and block malicious activity on its platform.
  • TransUnion, Allianz, Air France/KLM and others now face privacy and class-action exposure, particularly in US and EU jurisdictions.
  • For Google and Workday, the incident raised uncomfortable questions about internal SaaS hygiene, given they are themselves tech/security-savvy providers.

Even though many statements stress “no evidence of core system compromise”, the trust hit is substantial.

Salesforce CRM Breach: Risk-management lessons

8.1 Third-party SaaS ≠ “low risk”

CRM and contact-centre platforms hold mission-critical customer data.
They must be treated like core systems in ERM, not as peripheral utilities.

Implications:

  • Put major SaaS platforms (Salesforce, ServiceNow, etc.) and key integrations on the risk register
  • Apply formal vendor risk management: due diligence, security annexes, right to audit, breach reporting SLAs

8.2 Governance of OAuth, connected apps and API permissions

This wave shows that OAuth + APIs are the real perimeter in cloud:

  • Enforce “admin-approved” connected apps only; block everything else by default.
  • Regularly review OAuth scopes and ensure apps only have access to the minimum objects and fields they need.
  • Enable API Access Control / anomaly monitoring for large exports and unusual IPs or clients.

8.3 Harden processes against social engineering

  • Train IT and help-desk teams that phone/SMS requests to approve apps or relay MFA codes are high-risk by default.
  • Implement strong caller verification for internal support requests.
  • Include Salesforce and other SaaS admin consoles in vishing/phishing simulations.

8.4 Central SaaS security posture management

Given the sheer number of integrations:

  • Use SaaS security posture management (SSPM) or similar tools to continuously discover:
    • All connected apps
    • Their scopes and permissions
    • Where data can flow to and from.
  • Apply least privilege systematically across tenants.

8.5 Incident response playbooks for SaaS environments

Most IR plans are still data-center or endpoint-centric. After this case, teams need:

  • Specific playbooks for Salesforce and other SaaS breaches:
    • Revoking tokens
    • Auditing connected apps
    • Locking down suspicious accounts
  • Integrated coordination between security, CRM admins, and business owners when responding.

Salesforce CRM Breach: Mapping to standards and frameworks

Framework / Standard Relevance
NIST CSF 2.0 Cloud/SaaS in Identify–Protect–Detect–Respond–Recover; emphasises supply-chain and third-party risk.
NIST SP 800-204 / Zero Trust guidance Treat SaaS and APIs as untrusted; verify continuously.
ISO 27001 / 27017 Information security & cloud-security controls; vendor relationships, identity, API security.
NIST AI RMF For Salesforce-hosted AI/Einstein or ML-driven CRM components, governing data flows and misuse.
Regulatory regimes (GDPR, CCPA, sectoral privacy laws) Data minimization, security of processing, breach notification and fines where PII was insufficiently protected.

Salesforce CRM Breach: Practical board-level takeaways

  1. The risk surface has shifted from “servers” to “SaaS + integrations”.
  2. Third-party CRM failures can expose more customer data than an on-prem breach.
  3. OAuth tokens and API scopes need the same scrutiny as admin passwords and firewalls.
  4. Social engineering is still the easiest way in – even for elite cloud environments.
  5. Vendor risk, SaaS posture, and human-factor training must be integrated into your ERM.

Explore AI Risk Management courses offered by  Smart Online Course in association with RMAI and build your expertise in preventing and handling SaaS supply chain breach.

Related Course: Online Certificate in Supply Chain Risk Management

author avatar
RMAINDIA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.