Salesforce environments and their ecosystem of ISVs have become a prime target for cybercriminals in 2025. Two distinct attack patterns emerged this year. First ShinyHunters’ OAuth token abuse campaign, which infiltrated multiple Salesforce customer orgs through malicious connected apps. Next The Salesloft Drift breach, a supply-chain attack where attackers stole OAuth tokens en masse from a popular ISV integration.
Together, these incidents reveal how attackers bypass traditional defenses like MFA and focusing instead on weak spots in OAuth integrations and user trust.
Table of contents
The ShinyHunters Campaign: Social Engineering Meets OAuth
Beginning in the spring, threat group ShinyHunters executed a wave of Salesforce data thefts through a clever social engineering play. By impersonating IT help desk staff, attackers tricked employees into authorizing a malicious Salesforce connected app.
Once the app was authorized, attackers gained a long-lived OAuth refresh token, allowing them to pull data via Salesforce APIs indefinitely—without needing passwords or triggering MFA.
Notable Victims
- Farmers Insurance – 1.1M customer records exposed (May 2025)
- Coca-Cola Europacific Partners – 23M Salesforce records stolen
- Allianz Life – most of 1.4M customer records compromised (July)
- Google Ads Salesforce instance – 2.55M business contacts taken
- Chanel, LVMH, Adidas, Qantas – customer data quietly siphoned
The fallout was significant: customer PII was stolen, extortion attempts were made, and in several cases (e.g., Allianz, Chanel), stolen data later appeared on underground forums.
Salesloft Drift: A Supply-Chain Breach at Scale
In August, the focus shifted from social engineering to a direct ISV compromise. Attackers identified as UNC6395 infiltrated Salesloft’s Drift integration and stole OAuth tokens tied to Salesforce connections.
With these tokens, the attackers impersonated Drift’s app in hundreds of Salesforce orgs, exfiltrating customer support cases, leads, and contact records. The scope was wide, with security vendors like Cloudflare, Zscaler, and SpyCloud confirming impacts.
Case in Point: Cloudflare
Between August 12–17, attackers pulled entire support case histories from Cloudflare’s Salesforce instance. Buried in those cases were 104 customer API tokens, which Cloudflare immediately revoked and rotated. The attackers also combed through data for AWS keys, passwords, and other cloud credentials—hinting at a motive of credential harvesting for future intrusions.
Containment Measures
- Aug. 20: Salesforce and Salesloft revoked all Drift tokens and pulled the app from AppExchange.
- Aug. 28: Salesforce went further, disabling all Salesloft integrations platform-wide.
- Google revoked associated Gmail Drift tokens after detecting related compromise.
Lessons for the Ecosystem
These incidents illustrate a broader truth: Salesforce itself was not breached. Instead, attackers exploited the weakest links—users and ISVs. It’s that good old Shared Security Model biting users in the butt once again.
Key Takeaways
Here are the key lessons from this event.
- Salesforce security awareness matters. Many Salesforce sites lack the professional awareness and auditing skills required to keep sites safe. Think about upgrading your skills and staffing.
- OAuth tokens are the new crown jewels. Once issued, they bypass MFA and give API-level access that is hard to monitor.
- ISVs are part of your attack surface. The Salesloft case shows how one vendor compromise can cascade across hundreds of orgs.
- User training still matters. ShinyHunters succeeded by convincing employees to authorize apps.
- Audit your connected apps. Few enterprises monitor OAuth grants closely, leaving attackers with a blind spot to exploit.
What Enterprises Should Do
Besides taking advantage of SaaS Security Posture Management (SSPM) packages like AutoRABIT Guard or AppOmni, here are some immediate actions you should take to keep your Salesforce instance safe.
- Audit all Salesforce connected apps for scope and necessity.
- Revoke unused OAuth tokens; rotate credentials regularly.
- Apply least-privilege scopes and IP restrictions on integrations.
- Monitor for anomalies: sudden surges in SOQL queries, API calls, or new app authorizations.
- Train staff to treat any “IT support” request for Salesforce codes or integrations with extreme caution.
Why This Matters
The 2025 Salesforce attacks mark a turning point. Cybercriminals are moving from password theft to integration abuse. As enterprise SaaS ecosystems grow more interconnected, attackers will increasingly target the seams—OAuth, ISVs, and help-desk trust.
Salesforce customers and ISVs alike must treat OAuth governance and ISV security posture as first-class priorities. Otherwise, the next spree will make 2025 look like a rehearsal.

