The root cause of the major Salesforce breaches that began around May 2025 was not a technical vulnerability in the Salesforce platform itself, but rather a combination of sophisticated social engineering attacks and the abuse of OAuth-connected app permissions. The attackers targeted employees at organizations using Salesforce, such as Google, Adidas, Chanel, and others, by impersonating IT or Salesforce support staff through voice phishing (vishing) calls. They convinced these employees, often with administrative privileges, to install a malicious version of the Salesforce Data Loader or to authorize a seemingly legitimate connected app.
Once the malicious app was installed or authorized, it initiated an OAuth flow, requesting broad access permissions. Victims, believing the app to be legitimate, granted these permissions, which allowed attackers to obtain OAuth tokens. These tokens provided persistent, privileged access to Salesforce data, bypassing multi-factor authentication (MFA) and other security controls. Attackers then used Salesforce’s APIs to exfiltrate large volumes of sensitive data, including customer contact details, sales notes, and, in some cases, HR or policyholder information.
Key points of the root cause:
- Social engineering (vishing): Attackers tricked employees into installing or authorizing malicious apps.
- OAuth token abuse: Malicious apps were granted broad permissions, allowing attackers to bypass MFA and gain persistent access.
- Human-centric breach: The attack exploited trust and familiarity, not a technical flaw in Salesforce.
- Misconfiguration and over-permissioned accounts: Many organizations lacked sufficient controls over app authorizations and user permissions, thereby increasing the risk and impact of such attacks.
How to Prevent Similar Breaches in the Future
To prevent similar breaches, organizations must adopt a multi-layered security approach that addresses both technical and human factors. Security experts, Salesforce, and industry best practices recommend the following measures:
1. Enforce Multi-Factor Authentication (MFA) Everywhere
- Require MFA for all users, including those accessing Salesforce and any connected third-party apps. This adds a critical layer of defense against credential theft.
2. Strengthen OAuth and Connected App Governance
- Implement strict controls and approval workflows for authorizing new connected apps.
- Regularly audit all connected apps and their permissions, removing unnecessary or unused integrations.
- Monitor for unusual or unauthorized app authorizations in real time.
3. Apply the Principle of Least Privilege
- Limit user and app permissions to only what is necessary for their roles and functions.
- Regularly review and update user roles, profiles, and access rights to prevent privilege creep and ensure ongoing security.
4. Conduct Regular Security Awareness Training
- Train employees to recognize and report social engineering attempts, such as phishing and vishing.
- Emphasize the importance of verifying requests for software installations or app authorizations, especially those received via phone or email.
5. Restrict Access with Trusted IP Ranges and Login Controls
- Configure Salesforce to allow logins only from trusted IP addresses and during approved hours.
- Block logins from suspicious or untrusted locations.
6. Enable Data Encryption
- Encrypt sensitive data at rest and in transit using Salesforce Shield Platform Encryption or similar tools.
7. Monitor and Audit Activity
- Use Salesforce Health Check, event monitoring, and audit logs to track user activity, configuration changes, and access patterns.
- Set up automated alerts for anomalous behavior, such as large data exports or new app authorizations.
8. Secure Third-Party Integrations
- Carefully vet all third-party apps and integrations to ensure their security posture and necessity.
- Use OAuth scopes to limit the data and actions accessible to each integration.
9. Regularly Back Up Data
- Implement automated, regular backups of Salesforce data and test restoration procedures to ensure business continuity in case of a breach.
10. Implement Zero-Trust Security Principles
- Continuously verify user identities and device health to ensure optimal performance.
- Assume no user or device is inherently trusted and enforce least-privilege access at every step.
11. Stay Current with Security Updates and Best Practices
- Regularly review Salesforce’s security advisories and update configurations as needed.
- Align Security Practices with Recognized Frameworks: To provide a structured approach to security management, it’s essential to align security practices with recognized frameworks such as NIST, CIS, and ISO.
12. Incident Response and Recovery Planning
- Develop and test incident response plans tailored to cloud and SaaS environments.
- Ensure regular backups and disaster recovery processes are in place.
Conclusion
The Salesforce breaches were fundamentally enabled by human error, social engineering, and insufficient governance of connected apps and OAuth tokens, rather than a technical flaw in Salesforce itself. To prevent similar incidents, organizations must combine robust technical controls (such as MFA, least privilege, and monitoring) with strong user education and vigilant management of third-party integrations. By adopting these best practices, companies can significantly reduce their risk of falling victim to similar attacks in the future.
The post Root Cause of the Salesforce Breach appeared first on .
