The Salesforce Breach (2025)

1 Billion Records Stolen. 40 Global Organizations Affected.

The "Vishing" attack that proved your data is only as safe as the 3rd party apps connected to it.

📞 "Vishing"

Attackers didn't hack code; they hacked humans. They used Voice Phishing, posing as IT support to trick employees into giving up access.

🔗 The Supply Chain

It wasn't a flaw in Salesforce itself. Attackers hacked Drift (via Salesloft), a 3rd-party app integrated into Salesforce, to steal the keys.

🌍 The Impact

McDonald's, Disney, FedEx, and Google were hit. It wasn't their servers that failed, but the interconnected mesh of SaaS tools.

The Timeline of Deception

Oct 2024

The Setup

Group UNC6040 begins calling employees (Vishing), pretending to be IT help desk support. They steal login credentials and MFA codes.

Mar - Jun 2025

The GitHub Heist

Hackers compromise Salesloft's GitHub repositories. They find the "Keys to the Castle" (OAuth tokens) for the Drift app integration.

Aug 2025

Mass Exfiltration

Using the stolen tokens, attackers bypass login screens entirely. They query databases of 40 major companies, stealing nearly 1 Billion records.

Oct 2025

Extortion & Leak

Hackers launch a TOR site and demand ransom. When Salesforce refuses to pay, data from Qantas, Gap, and others begins leaking. The FBI seizes the extortion site.

Technical Breakdown

1. OAuth Tokens

Think of these as "Digital Hotel Key Cards." Once the hackers stole the tokens from the Drift app, they could enter the Salesforce "rooms" of companies like Disney without needing a password.

2. Non-Human Identities

Security teams watch humans logging in. They rarely watch "Service Accounts" or apps. The hackers acted as the Drift App, so they went unnoticed for weeks.

3. Vishing Mechanics

Attackers directed victims to fake login portals. When the victim entered their 2FA code, the attacker captured it in real-time to login legitimately.

Consumer Defense: Protecting Yourself

You don't run a Salesforce instance, but your data is inside them. Here is how to stay safe when big companies leak your info.

❄️

1. Freeze Your Credit

With names, addresses, and emails stolen, Identity Theft is the biggest risk. Freezing your credit at Equifax, Experian, and TransUnion stops hackers from opening loans in your name.

📞

2. Verify the Caller (Vishing Defense)

If "IT Support" or "The Bank" calls you asking for a code, Hang Up. Call them back on the official number listed on their website. Never trust an incoming call.

🔐

3. Phishing-Resistant MFA

SMS codes can be phished. Switch to App-based Authentication (like Google Authenticator) or hardware keys (YubiKey) which are much harder for scammers to steal.

🔍

4. Digital Cleanup

Use "Have I Been Pwned" to check if your email was in the Salesforce breach. If it was, change your passwords and watch your bank statements for small test charges.

Knowledge Check

Test your understanding of the breach and how to protect yourself as a consumer.